Reporting security issues in HAProxy ------------------------------------ Before reporting anything, please read doc/internals/threat-model.txt. It defines precisely what is and is not considered a security vulnerability in HAProxy. A fair number of suspected issues (and most automated or LLM-assisted findings) fall outside that boundary: they are ordinary bugs, and are best reported and fixed in public through the usual channels described in the "Contacts" section of doc/intro.txt. If, after reading the threat model, you are confident you have found a genuine security issue that would put many users at risk if discussed in the open, the security team can be reached at security@haproxy.org, a private list read by a handful of security officers; anything shared there remains private. Please include a reproducer, and ideally a proposed and tested patch, as well as a valid name under which the report can be credited. Auxiliary tools in dev/ and admin/ are not intended for production use and are by nature out of the security scope. Please report bugs affecting them via the regular channels. We usually don't use embargoes: once a fix is available it simply gets merged. In rare circumstances a release may be coordinated with software vendors, but this disrupts everyone's work and rushed releases can introduce new bugs, so it is avoided unless strictly necessary. As a result, reports that needlessly cause such extra burden get little consideration, and the most effective and best credited way to report an issue is to provide a working fix, which will appear in the changelogs. Findings produced with the help of AI MUST be accompanied by a working, tested patch. Such tools routinely report issues that are out of scope (see the threat model above) or simply not real, and reviewing them by hand wastes the very time and trust this process depends on. A model-generated report that arrives without a verified reproducer and a fix will generally not be processed. See also: - doc/internals/threat-model.txt : what qualifies as a vulnerability - doc/internals/core-principles.txt : the project's design principles - doc/intro.txt : general contacts and bug reporting