| # Security |
| |
| Apache Tomcat's security model and disclosure process are |
| published on the project website rather than in the repository: |
| |
| - **Threat model and security policy**: |
| <https://tomcat.apache.org/security-model.html> |
| - **How to report a vulnerability**: see the Security section |
| of <https://tomcat.apache.org/>. |
| |
| The project website is the authoritative source; this file |
| exists so agents and tooling that look for `SECURITY.md` in |
| the repository can mechanically follow the link to the |
| canonical documents. |
