The Apache Software Foundation takes a very active stance in eliminating security problems against the Apache Wicket web framework.
For reporting and discussing a security issue you should contact the Wicket PMC privately.
** PLEASE DO NOT CREATE A SECURITY REPORT IN OUR ISSUE TRACKER **
The issue tracker for Wicket is not the appropriate venue for reporting security issues as the issue tracker is publicly accessible. Instead, contact the Wicket PMC privately.
Send your security issue to private at wicket.apache.org. This list is not publicly available so we can discuss and fix the issue in private without leaking the info to any bad guys.
We treat all security issues seriously and will try to fix them as soon as possible in all affected versions that we still support.
The Security Team cannot accept regular bug reports or other queries, we ask that you use our bug reporting page for normal, non-security bugs.