The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service attacks against Apache Tomcat.
We strongly encourage folks to report such problems to our private
security mailing list first, before disclosing them in a public forum.
We cannot accept regular bug reports or other queries at this
address, we ask that you use our bug reporting
page for those. All mail sent to this address that does not relate to
security problems in the Apache Tomcat source code will be ignored.
The mailing address is:
security@tomcat.apache.org
Note that all networked servers are subject to denial of service attacks,
and we cannot promise magic workarounds to generic problems (such as a
client streaming lots of data to your server, or re-requesting the same
URL repeatedly). In general our philosophy is to avoid any attacks which
can cause the server to consume resources in a non-linear relationship to
the size of inputs.