This is an automated email from the ASF dual-hosted git repository.
apitrou pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-site.git
The following commit(s) were added to refs/heads/main by this push:
new 0d7326a3bfb Announce Arrow security model (#753)
0d7326a3bfb is described below
commit 0d7326a3bfb872f9cda1d229266b6e9437cf1b6e
Author: Antoine Pitrou <[email protected]>
AuthorDate: Mon Feb 9 09:32:57 2026 +0100
Announce Arrow security model (#753)
1. Add a blog post announcing the [recently
published](https://github.com/apache/arrow/pull/48870) security model
document
2. Reword security page to more explicitly outline the procedure,
pointing to the security model as required reading before reporting a
potential vulnerability
---------
Co-authored-by: Bryce Mecum <[email protected]>
---
_posts/2023-11-09-14.0.1-release.md | 2 +-
_posts/2026-02-09-arrow-security-model.md | 46 +++++++++++++++++++++++++++++++
security.md | 16 +++++++++--
3 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/_posts/2023-11-09-14.0.1-release.md
b/_posts/2023-11-09-14.0.1-release.md
index e5c2487a91e..1f941ecb97f 100644
--- a/_posts/2023-11-09-14.0.1-release.md
+++ b/_posts/2023-11-09-14.0.1-release.md
@@ -3,7 +3,7 @@ layout: post
title: "Apache Arrow 14.0.1 Release"
date: "2023-11-09 00:00:00"
author: pmc
-categories: [release]
+categories: [release, security]
---
<!--
{% comment %}
diff --git a/_posts/2026-02-09-arrow-security-model.md
b/_posts/2026-02-09-arrow-security-model.md
new file mode 100644
index 00000000000..95a1a3f3dd6
--- /dev/null
+++ b/_posts/2026-02-09-arrow-security-model.md
@@ -0,0 +1,46 @@
+---
+layout: post
+title: "Introducing a Security Model for Arrow"
+date: "2026-02-09 00:00:00"
+author: pmc
+categories: [arrow, security]
+---
+<!--
+{% comment %}
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+{% endcomment %}
+-->
+
+We are thrilled to announce the official publication of a
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html) for
Apache Arrow.
+
+The Arrow security model covers a core subset of the Arrow specifications:
+the [Arrow Columnar
Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow C Data
Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
+[Arrow IPC
Format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+It sets expectations and gives guidelines for handling data coming from
+untrusted sources.
+
+The specifications covered by the Arrow security model are building blocks for
+all the other Arrow specifications, such as Flight and ADBC.
+
+The ideas underlying the Arrow security model were informally shared between
+Arrow maintainers and have informed decisions for years, but they were left
+undocumented until now.
+
+Implementation-specific security considerations, such as proper API usage and
+runtime safety guarantees, will later be covered in the documentation of the
+respective implementations.
diff --git a/security.md b/security.md
index 32924f95bff..7c2a4de5f62 100644
--- a/security.md
+++ b/security.md
@@ -6,9 +6,19 @@ description: Security
# Reporting Security Issues
-Apache Arrow uses the standard process outlined by the [Apache Security
Team](https://www.apache.org/security/) for reporting vulnerabilities. Note
that vulnerabilities should not be publicly disclosed until the project has
responded.
-
-To report a possible security vulnerability, please email
[[email protected]](mailto:[email protected]).
+We take security seriously and would like our project to be as robust and
+dependable as possible. If you believe to have found a security bug, please do
+not file a public issue.
+
+First, please carefully read the Apache Arrow
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html)
+and understand its implications for untrusted data, as some apparent security
+issues can actually be usage issues.
+
+Second, please follow the standard [vulnerability reporting
process](https://apache.org/security/#reporting-a-vulnerability)
+outlined by the Apache Software Foundation. We will assess your report, follow
+up with our evaluation of the issue, and fix it as soon as possible if we deem
+it to be an actual security vulnerability.
<hr class="my-5">
