Apache APISIX (including this ingress controller) follows the Apache Software Foundation's vulnerability-disclosure policy. Please report security vulnerabilities to the ASF Security team at security@apache.org per https://www.apache.org/security/.

This repository inherits the Apache APISIX project threat model at:

https://github.com/apache/apisix/blob/master/docs/en/latest/security-threat-model.md

Of particular relevance to apisix-ingress-controller: §4.8 covers a CRD-to-Admin-API fidelity invariant specific to this controller (silent drop / injection / rename between the apisix.apache.org CRD spec and the Admin API target is a controller bug).