This is an automated email from the ASF dual-hosted git repository.
CalvinKirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 9a58cde5977 [doc](security) Add SECURITY.md threat model entry point
(#63553)
9a58cde5977 is described below
commit 9a58cde5977c39a1aed48f6336509a29cb037fd7
Author: Calvin Kirs <[email protected]>
AuthorDate: Sat May 23 12:51:43 2026 +0800
[doc](security) Add SECURITY.md threat model entry point (#63553)
### What problem does this PR solve?
Issue Number: None
Related PR: None
Problem Summary: Security tooling and reviewers expect a root
SECURITY.md entry point. The threat model already defined SECURITY.md
coexistence under M16, but the repository did not provide the
conventional file.
---
AGENTS.md | 2 +-
SECURITY.md | 15 +++++++++++++++
threat-model.md | 12 ++++++------
3 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/AGENTS.md b/AGENTS.md
index 4775237c403..785c13d535f 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,7 +4,7 @@ This is the codebase for Apache Doris, an MPP OLAP database. It
primarily consis
## Security Threat Model
-For security scans, vulnerability triage, security reviews, and changes
involving authentication, authorization, network boundaries, external catalogs,
cloud tenancy, or other security-sensitive behavior, read `threat-model.md`
first. Use it to determine in-scope components, trust boundaries, attacker
roles, explicit non-goals, and triage classification. Findings that are out of
model or by design under `threat-model.md` should be reported as such, not
treated as Doris vulnerabilities.
+For security scans, vulnerability triage, security reviews, and changes
involving authentication, authorization, network boundaries, external catalogs,
cloud tenancy, or other security-sensitive behavior, read `SECURITY.md` first,
then follow it to `threat-model.md`. Use `threat-model.md` to determine
in-scope components, trust boundaries, attacker roles, explicit non-goals, and
triage classification. Findings that are out of model or by design under
`threat-model.md` should be reported [...]
## When running in a WORKTREE directory
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000..d711fa4659f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+Apache Doris security findings should be reported to
+`[email protected]`. The Apache Security Team will route reports to
+the Doris project maintainers.
+
+For security scope, trust boundaries, attacker roles, explicit
+non-goals, and vulnerability triage classification, use
+`threat-model.md` as the canonical source for this repository. Security
+scanners, review agents, and vulnerability triagers should read
+`threat-model.md` before classifying findings.
+
+Findings that are out of model or by design under `threat-model.md`
+should be reported with that disposition instead of being treated as
+Doris vulnerabilities.
diff --git a/threat-model.md b/threat-model.md
index 9a70b078500..cecc67de90f 100644
--- a/threat-model.md
+++ b/threat-model.md
@@ -23,13 +23,14 @@ should classify any inbound report.
matching git tag).
- **Reporting cross-reference**: per M1, security findings should be
reported to **`[email protected]`** (ASF security team will route
- to Doris). A short `SECURITY.md` at the repo root will link to this
+ to Doris). A short `SECURITY.md` at the repo root links to this
document as canonical scope (M16 (A)). Findings that fall under
§4.3 / §4.9 / §4.11a will be closed with a citation to this
document.
- **Status**: v1.0 — technical model accepted. The four wave-4 (M15–M18)
- meta/process answers are recorded below; physical artifacts
- (`SECURITY.md`, model-version field policy text) are follow-up work.
+ meta/process answers are recorded below; the root `SECURITY.md`
+ coexistence artifact is complete, while model-version field policy
+ text remains follow-up work.
- **Provenance legend**:
- *(documented)* — stated in Doris' own README, code comments,
`conf/*.conf`, or user docs
@@ -741,7 +742,6 @@ the body. Summary table:
**Open follow-up items (not blocking v1.0 acceptance):**
-- Add `SECURITY.md` at repo root per M16. (Tracked separately.)
- Add `model-version` field to top of this doc per M15. Currently
bound to commit `1d1846591f7` / pre-3.x release. Update when
cutting next release.
@@ -802,5 +802,5 @@ Not yet produced in v1.0. Optional follow-up.
- [x] Document length: ~7 pages (within recommended 3–8). v0.1's
§4.14 wave-3 collapsed into a 14-row summary table.
-**v1.0 status**: ACCEPTED for technical content; `SECURITY.md`
-follow-up artifact pending per M16.
+**v1.0 status**: ACCEPTED for technical content; root `SECURITY.md`
+coexistence artifact complete per M16.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
