potiuk opened a new pull request, #3449:
URL: https://github.com/apache/tinkerpop/pull/3449

   Adds a draft `THREAT_MODEL.md` for Apache TinkerPop, a `SECURITY.md` 
pointing to it, and a `## Security` section in `AGENTS.md`, so automated 
security scanners (and researchers) can mechanically discover the project's 
threat model via the `AGENTS.md` -> `SECURITY.md` -> `THREAT_MODEL.md` chain.
   
   The threat model is a **v0 draft authored by the ASF Security team** for the 
PMC to own and refine. It follows a standard rubric (scope, trust boundaries, 
adversary model, security properties provided / not provided, downstream 
responsibilities, known non-findings, triage dispositions). Every claim carries 
a provenance tag — `*(documented)*` / `*(inferred)*` / `*(maintainer)*` — and 
**every `*(inferred)*` claim routes to a numbered question in §14** for the PMC 
to confirm, correct, or strike. The highest-value items to confirm: the default 
authentication/TLS posture, the script-execution disposition (string scripts 
run through the Groovy engine), and the Gryo/serialization handling.
   
   `THREAT_MODEL.md` and `SECURITY.md` carry the ASF license header; 
`AGENTS.md` is RAT-excluded. No code or behaviour changes — documentation only.
   
   This is a proposal for the PMC to review — please adjust, correct, or reject 
as needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to