potiuk commented on code in PR #32098: URL: https://github.com/apache/airflow/pull/32098#discussion_r1241234679
########## .github/SECURITY.md: ########## @@ -1,61 +1,50 @@ - .. Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at +This document contains information on how to report security vulnerabilities in Apache Airflow and +how the security issues reported to Apache Airflow security team are handled. If you would like +to learn about the security model of Airflow head to +[Airflow Security](https://airflow.apache.org/docs/apache-airflow/stable/security/) - .. http://www.apache.org/licenses/LICENSE-2.0 - - .. Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - -Security Model --------------- - -In the Airflow security model, the system administrators are fully trusted. -They are the only ones who can upload new DAGs, which gives them the ability -to execute any code on the server. - -Authenticated web interface and API users with Admin/Op permissions are trusted, -but to a lesser extent: they can configure the DAGs which gives them some control, -but not arbitrary code execution. - -Authenticated Web interface and API users with 'regular' permissions are trusted -to the point where they can impact resource consumption and pause/unpause configured DAGs, -but not otherwise influence their functionality. - -Reporting Vulnerabilities -------------------------- +## Reporting Vulnerabilities **⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️** The Apache Software Foundation takes security issues very seriously. Apache Airflow specifically offers security features and is responsive to issues around its features. If you have any concern around Airflow Security or believe you have uncovered a vulnerability, we suggest that you get in touch via the -e-mail address [email protected]. In the message, try to provide a -description of the issue and ideally a way of reproducing it. The security team -will get back to you after assessing the description. +e-mail address [[email protected]](mailto:[email protected]). +In the message, try to provide a description of the issue and ideally a way of +reproducing it. The security team will get back to you after assessing the report. Note that this security address should be used only for undisclosed vulnerabilities. Dealing with fixed issues or general questions on how to use the security features should be handled regularly via the user and the dev lists. Please report any security problems to the project security address before disclosing it publicly. -The `ASF Security team's page <https://www.apache.org/security/>`_ describes -how vulnerability reports are handled, and includes PGP keys if you wish to use -that. +Before reporting vulnerabilities, please make sure to read and understand the +[security model](https://airflow.apache.org/docs/apache-airflow/stable/security/) of Airflow, because +some of the potential security vulnerabilities that are valid for projects that are publicly accessible +from the Internet, are not valid for Airflow. Airflow is not designed to be used by untrusted users, and some +trusted users are trusted enough to do a variety of operations that could be considered as vulnerabilities +in other products/circumstances. This is the reason why some potential security vulnerabilities do not +apply to Airflow, or have different severity than generic scoring systems (for example `CVSS`) +calculation suggests. +The [ASF Security team's page](https://www.apache.org/security/>) describes Review Comment: No worries at all :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
