potiuk opened a new pull request, #66931: URL: https://github.com/apache/airflow/pull/66931
## Summary Adds an explicit out-of-scope section for non-Linux platforms to the Security Model. Bugs that only manifest on Windows / macOS / other non-Linux platforms are not eligible for CVE allocation because Airflow does not officially support those platforms as deployment targets. ## Motivation Codifies what was already the security team's practice — most recently the disposition on a 2026-05-14 IMAP-attachment-path-traversal report ([GHSA-w72r-xvc9-jwgh](https://github.com/apache/airflow/security/advisories/GHSA-w72r-xvc9-jwgh)) that only manifested on Windows due to backslash path-separator handling, closed NOT-CVE-WORTHY on this basis. Without an explicit Security Model section, reporters routinely submit Windows-only path-traversal / RCE reports that the team has to invalidate one-by-one with manual reasoning. Future Windows-only / macOS-only reports will be closed against this section, and reporters can read the rule upfront before submitting through `security@`. The rule applies symmetrically: a bug that affects Linux is judged on the Linux behavior regardless of whether it also reaches Windows; non-Linux-only bugs are out of scope. ## Test plan - [ ] Render the docs locally with `breeze build-docs apache-airflow --package-filter apache-airflow` and confirm the new section appears under the existing out-of-scope items in the Security Model page. - [ ] Spot-check that the new anchor `#supported-deployment-platforms` is generated correctly (Sphinx generates anchor IDs from heading text via kebab-case). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
