potiuk opened a new pull request, #13554:
URL: https://github.com/apache/cloudstack/pull/13554

   **This is a proposal for the PMC to review — please correct, reject, or 
discuss as needed.** It changes no threat-model content; it only adds the 
discoverability wiring around it.
   
   `apache/cloudstack` now carries the project-wide security threat model 
(`draft-THREAT-MODEL.md`, merged in #13293), but there's no `AGENTS.md` / 
`SECURITY.md` chain leading to it. This PR adds:
   
   - `SECURITY.md` — the standard ASF disclosure-policy pointer (report 
suspected vulnerabilities privately to `[email protected]`) plus a "Threat 
Model" section linking to `draft-THREAT-MODEL.md`.
   - `AGENTS.md` — a Security section pointing agents at `SECURITY.md`, so an 
automated scanner can mechanically follow `AGENTS.md` → `SECURITY.md` → 
`draft-THREAT-MODEL.md`.
   
   Context: the ASF Security team is preparing the project for an automated 
agentic security scan we're piloting; those scans refuse to run unless the 
model is reachable by that chain. The model content is untouched — I linked 
`draft-THREAT-MODEL.md` as-named, so if you later rename or relocate it, just 
update the one link in `SECURITY.md`. Questions / pushback welcome.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to