(trafficserver) branch master updated: Add security policy (#12328)

Tue, 08 Jul 2025 16:41:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 5c32308858 Add security policy (#12328)
5c32308858 is described below

commit 5c3230885804351e7286fd5cbed658211e0a10cc
Author: Masakazu Kitajo <mas...@apache.org>
AuthorDate: Tue Jul 8 17:40:59 2025 -0600

    Add security policy (#12328)
    
    * Add security policy
    
    * Fix typo
    
    * Fix another typo
---
 SECURITY.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..be75009149
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org/) and 
follows the ASF [vulnerability handling 
process](https://apache.org/security/#vulnerability-handling).
+
+We strongly encourage folks to report such problems to our private security 
mailing list first, before disclosing them publicly.
+
+# Reporting a Vulnerability
+
+To report a new vulnerability you have discovered please follow the ASF 
[vulnerability reporting 
process](https://apache.org/security/#reporting-a-vulnerability).
+
+# Security Model
+
+Administrative users are always considered to be trusted. Reports for 
vulnerabilities where an attacker already has access to or control over any of 
the following will be rejected:
+- Traffic Server binaries and/or scripts.
+- Traffic Server configuration files.
+
+Security-sensitive information may be logged with modified logging 
configurations, particularly if debug logging is enabled.
+
+Experimental features and plugins are known unstable and not supposed to be 
used on production. We do not consider
+vulnerabilities in those as security issues. You may report vulnerabilities in 
those publicly on our public lists or GitHub. However, please
+contact us privately, if you believe the vulnerabilities you find are serious, 
or if you are not sure whether you should report the
+vulnerabilities publicly.

Reply via email to