Apache Doris security findings should be reported to security@apache.org. The Apache Security Team will route reports to the Doris project maintainers.

For security scope, trust boundaries, attacker roles, explicit non-goals, and vulnerability triage classification, use threat-model.md as the canonical source for this repository. Security scanners, review agents, and vulnerability triagers should read threat-model.md before classifying findings.

Findings that are out of model or by design under threat-model.md should be reported with that disposition instead of being treated as Doris vulnerabilities.