This is an automated email from the ASF dual-hosted git repository.
smiklosovic pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/trunk by this push:
new 106e90b360 Add security-model discoverability (AGENTS.md ->
SECURITY.md -> security model)
106e90b360 is described below
commit 106e90b360c7ce7173ba4deda18beb95802c5977
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun Jun 14 02:29:27 2026 +0200
Add security-model discoverability (AGENTS.md -> SECURITY.md -> security
model)
Wires the conventional AGENTS.md -> SECURITY.md -> security model chain so
automated tooling
can mechanically discover the project's security model. No model content is
changed.
patch by Jarek Potiuk; reviewed by Stefan Miklosovic, Michael Semb Wever
for CASSANDRA-21464
Assisted-by: Claude Opus 4.8 (1M context)
---
.build/build-rat.xml | 1 +
AGENTS.md | 14 +++++++++++++-
SECURITY.md | 15 +++++++++++++++
3 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/.build/build-rat.xml b/.build/build-rat.xml
index 947d60504b..244daa00f2 100644
--- a/.build/build-rat.xml
+++ b/.build/build-rat.xml
@@ -89,6 +89,7 @@
<!-- legal files -->
<exclude NAME="NOTICE.txt"/>
<exclude NAME="LICENSE.txt"/>
+ <exclude NAME="SECURITY.md"/>
<!-- AI agent instruction files -->
<exclude NAME="AGENTS.md"/>
<exclude NAME="CLAUDE.md"/>
diff --git a/AGENTS.md b/AGENTS.md
index 51a16f4f5f..1a6b6a947b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -66,4 +66,16 @@ General style conventions:
- 🚫 Never commit secrets, credentials, or API keys.
- 🚫 Never run the full test suite — it takes hours. Run targeted tests only.
- 🚫 Never bypass Checkstyle violations without a suppression comment
explaining why.
-- ⚠️ Ask before modifying the CQL grammar (`src/antlr/Cql.g`) — changes
cascade widely.
\ No newline at end of file
+- ⚠️ Ask before modifying the CQL grammar (`src/antlr/Cql.g`) — changes
cascade widely.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md), which links to the project's
+security model at
+[doc/modules/cassandra/pages/reference/security-model.adoc](./doc/modules/cassandra/pages/reference/security-model.adoc).
+
+Automated agents (security scanners, code analyzers) that scan this
+repository should consult that security model for the project's in-scope /
+out-of-scope declarations, trust boundaries, the security properties
+Cassandra provides and disclaims, and how findings are triaged, before
+reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..29f98a1a29
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report suspected security vulnerabilities in Apache Cassandra
+privately to the Apache Security Team at <[email protected]>, following the
+ASF process at <https://www.apache.org/security/>. Do not open public GitHub
+issues or pull requests for security reports.
+
+## Security Model
+
+Apache Cassandra's security model - what is in and out of scope, the trust
+boundaries it assumes, the security properties the project provides and
+disclaims, and how findings are triaged - is documented in-repo at
+[doc/modules/cassandra/pages/reference/security-model.adoc](./doc/modules/cassandra/pages/reference/security-model.adoc).
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
