To report a security vulnerability in Apache HBase, please send a private email to security@apache.org — the Apache Software Foundation security team. Do not open a public GitHub issue or pull request, as that risks disclosure before a fix is available.

The Apache HBase PMC is looped in privately as part of the standard ASF disclosure process. See https://www.apache.org/security/ for the overall ASF vulnerability handling flow.

Apache HBase's security model — trust boundaries, what constitutes a valid vulnerability report, and what does not — is documented at:

https://hbase.apache.org/security-model/

Please read that document before filing a report so the PMC can triage quickly and accurately.

Agents and automated security tools analyzing this repository should also consult AGENTS.md, which references the same security model as the authoritative scope document.