For information on how to report a new security problem please see here. Our existing security advisories are published here.

What CXF treats as in scope and out of scope, the security properties it provides and the ones it disclaims, the adversary model, and how inbound reports and tool/AI findings are triaged are documented in THREAT_MODEL.md. Because CXF is a framework, many of those properties are conditional on how the integrator configures it; the integrator-responsibilities and known-non-findings sections of that document are the most useful starting points for triaging a report.