This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-api.git
The following commit(s) were added to refs/heads/main by this push:
new 97ed123 NIFI-16033 Add AGENTS.md and SECURITY.md for security-model
discoverability (#97)
97ed123 is described below
commit 97ed123e949d0311d069ae6403a1ef0f4ba1f3e7
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat Jun 20 18:05:18 2026 -0400
NIFI-16033 Add AGENTS.md and SECURITY.md for security-model discoverability
(#97)
Signed-off-by: David Handermann <[email protected]>
---
AGENTS.md | 15 +++++++++++++++
SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..f14c568
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,15 @@
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
+# Agent Guide for Apache NiFi
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+threat model it links before reporting issues.
+
+The project security model is published at
https://nifi.apache.org/documentation/security/#security-model linked in
SECURITY.md.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..30ed701
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,36 @@
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+Apache NiFi welcomes the responsible reporting of security vulnerabilities.
+The NiFi team believes that working with skilled security researchers across
the globe is crucial in identifying weaknesses in any technology.
+If you believe you've found a security issue in our product or service, we
encourage you to notify us.
+We will work with you to resolve the issue promptly.
+
+## Disclosure Policy
+
+* Let us know as soon as possible upon discovery of a potential security
issue, and we'll make every effort to quickly resolve the issue.
+* Provide us a reasonable amount of time to resolve the issue before any
disclosure to the public or a third-party.
+* Make a good faith effort to avoid privacy violations, destruction of data,
and interruption or degradation of our service. Only interact with accounts you
own or with explicit permission of the account holder.
+
+## Exclusions
+
+While researching, please refrain from:
+
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of Apache NiFi staff or contractors
+- Any physical attempts against Apache NiFi property or data centers
+
+## Reporting Methods
+
+- NiFi Security Mailing List:
[[email protected]](mailto:[email protected])
+ - Members of the [Project Management
Committee](https://nifi.apache.org/people.html) monitor this private mailing
list and respond to disclosures
+
+## Threat Model
+
+What the project treats as in scope and out of scope, the security
+properties it provides and disclaims, the adversary model, and how
+findings are triaged are documented in the project [Security
Model](https://nifi.apache.org/documentation/security/#security-model).