This is an automated email from the ASF dual-hosted git repository.
vishesh92 pushed a commit to branch main
in repository
https://gitbox.apache.org/repos/asf/cloudstack-kubernetes-provider.git
The following commit(s) were added to refs/heads/main by this push:
new 0fdca7b6 Add security-model discoverability pointer to the
project-wide CloudStack threat model (#97)
0fdca7b6 is described below
commit 0fdca7b65f1abf2ca25152ff149da7627e7b9616
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon Jul 13 10:05:00 2026 +0200
Add security-model discoverability pointer to the project-wide CloudStack
threat model (#97)
* Add draft project security threat-model document
Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.
The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
* Point to the project-wide CloudStack threat model instead of a per-repo
copy
Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this
repo
inherits it rather than duplicating it.
Generated-by: Claude Code
---------
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
AGENTS.md | 13 +++++++++++++
SECURITY.md | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..e6da7bba
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,13 @@
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
+# Agent Guide for cloudstack-kubernetes-provider
+
+This file is read by automated agents (security scanners, code analyzers,
+AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+project-wide threat model it links before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..8863ddd4
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/cloudstack-kubernetes-provider` follows the [Apache Software
Foundation security process](https://www.apache.org/security/).
+Please report suspected vulnerabilities privately to `[email protected]`; do
not
+open public GitHub issues or pull requests for security reports.
+
+## Threat Model
+
+`apache/cloudstack-kubernetes-provider` is part of the Apache CloudStack
project and is covered by the
+**project-wide CloudStack threat model** rather than a per-repository copy.
What the
+project treats as in scope and out of scope, the security properties it
provides and
+disclaims, the adversary model, and how findings are triaged are documented in
that
+model: <https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md>.
+
+(That link resolves once the project-wide model lands on `apache/cloudstack`'s
+`main` branch — see apache/cloudstack#13293. A thin
`cloudstack-cloudstack-kubernetes-provider`-specific
+addendum can be added here later if this component needs one.)