This is an automated email from the ASF dual-hosted git repository.
SbloodyS pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
The following commit(s) were added to refs/heads/dev by this push:
new f5dff77571 [Chore] Add AGENTS.md + SECURITY.md to make the security
model discoverable (#18310)
f5dff77571 is described below
commit f5dff77571aa7b8c4d9d847a8377c413e6e29c4c
Author: Jarek Potiuk <[email protected]>
AuthorDate: Tue Jun 2 05:50:37 2026 +0200
[Chore] Add AGENTS.md + SECURITY.md to make the security model discoverable
(#18310)
---
AGENTS.md | 29 +++++++++++++++++++++++++++++
SECURITY.md | 13 +++++++++++++
2 files changed, 42 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000000..9d3f00d4e0
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,29 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Agent Guide for dolphinscheduler
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+threat model it links before reporting issues.
+
+DolphinScheduler's security model defines user roles, trust boundaries, and
known non-findings.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..5fd235607a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/dolphinscheduler` follows the [Apache Software Foundation security
process](https://www.apache.org/security/). Please report suspected
+vulnerabilities privately to `[email protected]`; do not open public
+GitHub issues or pull requests for security reports.
+
+## Threat Model
+
+What the project treats as in scope and out of scope, the security
+properties it provides and disclaims, the adversary model, and how
+findings are triaged are documented in
https://github.com/apache/dolphinscheduler/blob/dev/docs/docs/en/contribute/join/security-model.md.