To report a security vulnerability in Apache ORC, follow the ASF security process at https://www.apache.org/security/. Reports can be sent privately to security@apache.org or to private@orc.apache.org.
Apache ORC's security guidance is documented at:
https://orc.apache.org/security/
Automated security scanning agents should consult that document for the project's in-scope / out-of-scope declarations before reporting issues.