Reporting Security Issues

We take security seriously and would like our project to be as robust and dependable as possible. If you believe to have found a security bug, please do not file a public issue.

First, please carefully read the Apache Arrow Security Model and understand its implications for untrusted data, as some apparent security issues can actually be usage issues.

Second, please follow the standard vulnerability reporting process outlined by the Apache Software Foundation. We will assess your report, follow up with our evaluation of the issue, and fix it as soon as possible if we deem it to be an actual security vulnerability.

Published Security Issues

For security advisories published since 2023, please refer to this page maintained by the Apache Security Team.

For security advisories published before 2023, one can use a targeted search query on the CVE website.