Apache Thrift follows the Apache Software Foundation vulnerability handling process.
Do not report security vulnerabilities through public GitHub issues, pull requests, or discussion threads.
Send a report to security@apache.org with:
- Apache Thrift version(s) affected
- Language binding(s) affected
- A clear description of the issue and its potential impact
- Reproduction steps or a minimal proof-of-concept (where safe to include)
The Apache Security Team will acknowledge receipt within a few days and will work with the project's security team to assess and remediate the issue before coordinating public disclosure.
The project maintains a threat model document at
doc/thrift-threat-model.md.
It describes the attack surface, trust boundaries, transport-level security properties,
and known design trade-offs for all supported language bindings.
Past security advisories are published on the Apache Thrift security page and on the ASF security advisories page.