This is an automated email from the ASF dual-hosted git repository. exceptionfactory pushed a commit to branch main-staging in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit 0f2b81b8aa54b28fc1677ca2307448c27c253506 Author: exceptionfactory <[email protected]> AuthorDate: Sat Jun 14 17:31:31 2025 -0500 Renamed Security Reporting Guidelines to Security Model (cherry picked from commit ea155f31bd7e51f4728cdfdb7f577d3dce0c9957) --- content/documentation/security.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/content/documentation/security.md b/content/documentation/security.md index 6fca6225..fc09e5f9 100644 --- a/content/documentation/security.md +++ b/content/documentation/security.md @@ -24,14 +24,16 @@ Do not perform the following actions after discovering a potential security conc - Send a message to the project mailing lists disclosing a security vulnerability to the public - Send a message to the project Slack instance disclosing a security vulnerability to the public -## Reporting Guidelines +## Security Model + +Apache NiFi provides a framework for developing processing pipelines using standard and custom components. Authenticated +and authorized users are responsible for the security of operating system commands and custom code. Privileged users are +also responsible for designing processing pipelines with security measures appropriate to the level of trust expected +for systems and services providing input to such processing pipelines. Configuring dangerous operating system commands or custom scripts is not a project security vulnerability. -Authenticated and authorized users are responsible for the security of operating system commands and custom -code. -Apache NiFi provides a framework for developing processing pipelines using standard and custom -components. The framework supports configurable permissions that enable authorized users to execute code +The framework supports configurable permissions that enable authorized users to execute code using several standard components. Components such as ExecuteProcess and ExecuteStreamCommand support running operating system commands, while other scripted components support executing custom code using different programming languages. Configuring these components with untrusted commands or arguments is
