(camel-website) branch main updated: Link the Camel security model from the security page (#1595)

Sat, 16 May 2026 14:49:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 2d2e529a Link the Camel security model from the security page (#1595)
2d2e529a is described below

commit 2d2e529ad2a291ca8e94d3a3f9f1ae575241c541
Author: Andrea Cosentino <[email protected]>
AuthorDate: Sat May 16 22:59:04 2026 +0200

    Link the Camel security model from the security page (#1595)
    
    Add a prominent 'Security model and report scope' section at the top of
    the /security/ page, above the reporting instructions, linking the
    canonical model at /manual/security-model.html, and noting that the
    subprojects inherit the same trust model.
    
    Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
 content/security/_index.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/security/_index.md b/content/security/_index.md
index 8ec7e6af..29fb77d7 100644
--- a/content/security/_index.md
+++ b/content/security/_index.md
@@ -4,6 +4,22 @@ title: "Security"
 
 # Apache Camel security information
 
+## Security model and report scope
+
+Before reporting, please read the **[Apache Camel Security 
Model](/manual/security-model.html)**.
+
+It is the canonical reference the Apache Camel PMC uses when triaging security 
reports. It
+documents who is trusted, where the trust boundaries sit, which vulnerability 
classes are
+accepted as framework vulnerabilities, and which categories are out of scope — 
route-author or
+operator responsibility, explicit opt-ins, denial of service through 
unthrottled routes,
+third-party transitive CVEs not reachable through Camel code, management 
surfaces placed on an
+untrusted network, and automated-scanner output with no proof of concept. 
Reports that fall
+outside the documented scope are closed with a reference to that page.
+
+The Camel subprojects — Camel Quarkus, Camel Spring Boot, Camel Karaf, Camel 
Kamelets, Camel
+Kafka Connector and Camel K — inherit the same trust model; report scope for 
them is governed
+by the same document unless a subproject publishes its own security model.
+
 ## Reporting new security problems with Apache Camel
 
 The Apache Software Foundation takes a very active stance in eliminating 
security problems.

Reply via email to