Our Security Policy

Reporting a vulnerability

To report a vulnerability you can either email security /at/ spamassassin.apache.org or open a bugzilla issue being very careful to set the Component to Security so that it is not generally visible. If you create the bug report you will have access to it, as will the security team.

Security team process

Once a potential vulnerability is reported to the committers, and has been verified to be an issue, here's what to do (based on what we did for bug 5480):

...