# Security

Apache Tomcat's security model and disclosure process are
published on the project website rather than in the repository:

- **Threat model and security policy**:
  <https://tomcat.apache.org/security-model.html>
- **How to report a vulnerability**: see the Security section
  of <https://tomcat.apache.org/>.

The project website is the authoritative source; this file
exists so agents and tooling that look for `SECURITY.md` in
the repository can mechanically follow the link to the
canonical documents.