This is an automated email from the ASF dual-hosted git repository.
benjobs pushed a commit to branch dev
in repository
https://gitbox.apache.org/repos/asf/incubator-streampark-website.git
The following commit(s) were added to refs/heads/dev by this push:
new f4ddaca [Improve] update community/security.md (#417)
f4ddaca is described below
commit f4ddaca426e94a9b3c2d242b7a5d555daf4388f0
Author: benjobs <[email protected]>
AuthorDate: Fri Nov 29 16:35:22 2024 +0800
[Improve] update community/security.md (#417)
---
community/security.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/community/security.md b/community/security.md
index 599d305..4d1affd 100644
--- a/community/security.md
+++ b/community/security.md
@@ -4,6 +4,19 @@ title: 'Security'
sidebar_position: 4
---
+# Frequently Asked Questions
+
+## During a security analysis of StreamPark, I noticed that StreamPark allows
for remote code execution, is this an issue?
+
+Apache StreamPark is a stream processing development management framework that
allows users to submit Flink/Spark jobs to remote clusters. which will be
executed unconditionally, without any attempts to limit what code can run.
+
+Historically, we have received many reports of remote code execution
vulnerabilities that we have had to reject because this is by design.
+
+We strongly discourage users from exposing Flink/Spark processes to the public
Internet. In corporate networks or "cloud" accounts, we recommend appropriately
restricting access to Flink and Spark clusters
+
+
+# I found a vulnerability in StreamPark, how do I report it? #
+
If you have any concerns regarding StreamPark's security, or you discover a
vulnerability or potential threat, please do not hesitate to get in touch with
the Apache Security Team by dropping an email at [email protected].
Please specify the project name as "StreamPark" in the email, and provide a
description of the relevant problem or potential threat. You are also urged to
recommend how to reproduce and replicate the issue.
