Apache Directory follows the ASF security process. Report privately to security@apache.org (PMC: private@directory.apache.org); do not open public issues/PRs for security reports.

apache/directory-fortress-core is the Fortress RBAC/ARBAC authorization engine within the Apache Directory project. Its security context is covered by the Apache Directory umbrella threat model (Fortress addendum (F)): https://github.com/apache/directory-server/blob/master/THREAT_MODEL.md