potiuk opened a new pull request, #13554: URL: https://github.com/apache/cloudstack/pull/13554
**This is a proposal for the PMC to review — please correct, reject, or discuss as needed.** It changes no threat-model content; it only adds the discoverability wiring around it. `apache/cloudstack` now carries the project-wide security threat model (`draft-THREAT-MODEL.md`, merged in #13293), but there's no `AGENTS.md` / `SECURITY.md` chain leading to it. This PR adds: - `SECURITY.md` — the standard ASF disclosure-policy pointer (report suspected vulnerabilities privately to `[email protected]`) plus a "Threat Model" section linking to `draft-THREAT-MODEL.md`. - `AGENTS.md` — a Security section pointing agents at `SECURITY.md`, so an automated scanner can mechanically follow `AGENTS.md` → `SECURITY.md` → `draft-THREAT-MODEL.md`. Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; those scans refuse to run unless the model is reachable by that chain. The model content is untouched — I linked `draft-THREAT-MODEL.md` as-named, so if you later rename or relocate it, just update the one link in `SECURITY.md`. Questions / pushback welcome. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
