Contact the Apache Software Foundation Security Team and follow the guidelines on the Apache Software Foundation security page regarding vulnerability disclosure.