I have absolutely 0 problem with this, as long as a disclaimer is listed like the OP did. I honestly think this is the right way to do it. Imagine though if apache had some major security flaw uncovered tomorrow and the maintainers said, "This is just an open source project. You are free to look into the issue and fix it yourself if you want. We will merge the pull request when we get around to it.". Managing expectations is-- as usual-- everything.