Software Security Legal Foundation Members Technical Marketing
All software produced by the Foundation is available for download, by anyone and for free, from our websites and mirrors. We do not sell it; we give it away. Neither do we provide formal or commercial support for any of our packages.
Also see the is it free and following sections in our license FAQ and our Apache software is free of cost page.
Please consult our detailed information on the export control status of The Apache Software Foundation's products.
If a vendor is choosing to distribute ASF software, it is their
responsibility to get whatever licenses or other blessings they need for
their application. Consult your own IP/export attorney
for further advice.
Each Apache project uses an issue tracker dedicated to their project. The best way is to go to that project's webpage. If you still have trouble finding it, try finding the project at projects.apache.org or by browsing issues.apache.org.
You may read our formal Trademark Policy as an introduction. For any questions about the use of Apache marks, including logos and project or product names, or the Apache name or feather, contact the Brand Management Committee as well as to the relevant Project Management Committee.
If you have sent mail about a license issue or question, please review the online license at the URL listed below. The gist of the license is that you may use, modify, and [re]distribute the Apache software as-is. As long as you do not change the software, you may re-distribute it and call it "Apache." If you alter the software in any way, other than tailoring the configuration files or making it compilable on your platform, you may only refer to it as being based upon Apache. In all cases, altered or not, you must include attribution as described in section 3 of the license. If you have further questions, see our license FAQ. If that doesn't answer them, you may contact our Legal Affairs Committee.
We address specific questions about trademarks of The Apache Software Foundation on the Trademark Policy page.
Visit https://apache.org/security/ to learn how to report a security vulnerability.
Yes, the ASF is a membership-based corporation registered in Delaware, United States. It is a registered non-profit charity, and has received 501(c)(3) status from the U.S. Internal Revenue Service. However, even if something happens that changes that status, the ASF is still a not-for-profit enterprise.
As a corporate entity, the Apache Software Foundation is able to be a party to contracts, such as for technical services or guarantee-bonds for conferences. It can also accept donations on behalf of its projects, clarify any associated tax issues, and create additional self-funded services via community building activities, such as Apache-related T-shirts and user conferences.
In addition, the Foundation provides a framework for limiting the legal exposure of individual volunteers while they work on behalf of one of ASF projects. In the past, these volunteers were personally vulnerable to lawsuits, whether legitimate or frivolous, which impaired many activities that might have significantly improved contributions to the projects and benefited our users.
As an officer of the corporation, PMC Chairs act on behalf of the corporation providing for their project the oversight that the ASF requires.Since the officer is acting on behalf of the corporation, there is no personal liability -- standard corporate assumption of liability occurs. If the officer were not acting in accordance with their stated role, then they would be personally liable.Since the ASF assumes liability, it responds on behalf of individual projects when there are complaints or even legal action.
Officers and members are further indemnified in accordance with our bylaws (meaning we also take care of their legal expenses if they are sued due to their role's actions). In essence, PMC chairs must be officers because the board can only delegate things to employees or officers. It is impossible to delegate authority to someone who has no authority.
The ASF provides protection from legal liability for Members, Officers, and Directors as noted in section 12.1 of the Bylaws. No legal liability is offered to committers, PMC members, and anyone else who contributes to the ASF and its projects.
All software developed within the Foundation belongs to the ASF, and therefore the members. The members own the code and the direction of it and the Foundation. Committers work on their project's code; good committers become ASF members and thus share the ownership of the software and the Foundation's decision-making.
The Apache Software Foundation is a meritocracy, which means that, to become a member, you must first be actively contributing to one or more of the Foundation's collaborative projects. New candidates for membership are nominated by an existing member and then put to vote; a majority of the existing membership must approve a candidate in order for the candidate to be accepted.
No, the membership of the ASF is composed of individuals, not companies. This does not mean that individuals who work at a company cannot contribute to ASF, quite the contrary. We have a specific CLA to assure that individuals can clearly contribute to the ASF during "work time."
There are instances where bad actors use ASF software and/or the Apache license in their malicious code or misuse the Apache name for fraudulent purposes. The ASF does not create user apps or programs that comprise the many forms of malware. If you are experiencing issues with your mobile device, computer or website, we recommend you visit your mobile service provider, ISP, tech support provider, or web hosting provider. If you are otherwise threatened, please contact your local law enforcement authority for guidance.
For those seeking technical assistance with one of the ASF's hundreds of projects, we encourage you to visit the project's site for information on mailing lists that may contain answers to your question or guidelines for known issues.
If you have sent us mail because you saw a page saying 'It Worked!' (or
something similar indicating that the Apache HTTP server has been installed) on your screen
when you visit a web site, go back and READ the page. It should
explain what is going on. The page is the equivalent of a demo or the
ReadMe file from a Windows application installation; it is intended for the
person who installed the software and is supposed to show that the
installation completed successfully. The problem you are experiencing
has nothing to do with us, and we cannot help you. You need to contact the
Webmaster for the site. If the site is www.foo.com, for instance, try
sending mail to [email protected]. If it's www.toddsbeer.org, send
mail to [email protected]. And so on.
Some older versions of the 'It Worked!' page (supplied with older versions of the software) don't say that, or are mysterious or ambiguous. What they should say, and what the recent versions say, is something like this!
It Worked! The Apache Web Server is installed on this Web Site!
---
If you can see this page, then the people who own this
domain have just installed the Apache Web server software
successfully. They now have to add content to this directory
and replace this placeholder page, or else point the server
at their real content.
---
If you are seeing this page instead of the site you expected,
please contact the administrator of the site involved. (Try
sending mail to <Webmaster@domain> Although this site is
running the Apache software it almost certainly has no other
connection to the Apache Group, so please do not send mail
about this site or its contents to the Apache authors. If you
do, your message will be ignored.
If you think that the Apache HTTP Server software has somehow been installed on your PC or laptop, don't worry: IT HASN'T. The page you are seeing is from a remote website that has installed our software and which you have visited.
If you sent your message because your intrusion detection reported an attack on your system and you clicked on the name or IP address of the attacking system, please use the Whois (if it reported a name) or the ARIN (if it reported an address) databases to locate the actual owner of the system. These databases are the authoritative ones for the Internet.
If you think that ASF has somehow 'hijacked,' 'taken over,' or otherwise blocked access to a website, IT HASN'T. The people who actually run the website have installed or upgraded the Apache software which answers browser requests, and haven't completed the upgrade yet.
If you have sent us mail because you think you have traced spam to a system that displays the 'It Worked!' page, or another page indicating that Apache is running on the system, the same advice applies: it is not our system; they are just using web software we develop and distribute for free. The web software has nothing to do with email or spam, it's just running on the same system. Apache has as much to do with email as Tetris does, and assuming we're responsible in any way for the spam is as reasonable as blaming Microsoft and Microsoft Excel because someone used Netscape to send you a nasty message. We are not and can not be responsible for their activity. Internet databases such as ARIN or Whois will help you find out who actually owns the systems, domains, and/or IP addresses involved.
How to: Look up the owner of a domain(such as foo.com): http://www.networksolutions.com/cgi-bin/whois/whois Whois database (tells you who owns a domain, such as foo.com).
How to: Look up the owner of an IP address(such as 10.0.35.147): https://ws.arin.net/whois/. ARIN (Registered Internet Numbers) database (tells you who owns an IP address, such as 10.0.35.147, or which other database to query if the address is assigned outside the USA).
The ASF discourages this because it is detrimental to the long-term health of a project community to continually call attention to the individuals and/or organizations that originally created the project.
If it is necessary to highlight individuals and companies who founded a project that is now under the ASF’s stewardship, they may be referred to as "original creator of Apache Project Name" or "original developer of Apache Project Name."