BreakTest is a forked continuation of Apache JMeter and inherits much of JMeter's security model.
Please report suspected BreakTest vulnerabilities privately to the project maintainers; do not open public GitHub issues or pull requests for undisclosed security reports. If a vulnerability also affects upstream Apache JMeter, follow the Apache Software Foundation security process and report it privately to security@apache.org.
What the project treats as in scope and out of scope, the security properties it provides and disclaims, the adversary model, and how findings are triaged are documented in THREAT_MODEL.md.