Steve Loughran created HADOOP-19925:
---------------------------------------
Summary: Create a SECURITY.md file to define the security model
for the AI tools
Key: HADOOP-19925
URL: https://issues.apache.org/jira/browse/HADOOP-19925
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 3.6.0
Reporter: Steve Loughran
Assignee: Steve Loughran
Write a SECURITY.md file to scope AI generated security reports to sensible
deployments, and also for humans. Base off best work of other projects.
- explain deployments and their security boundaries (dev, kerberos, isolated
cloud)
- only accept security issues against kerberos
- anything which doesn't lead to privilege escalation is a bug
- anything which hurts perf is just a bug
- we expect site config to be valid. If that can be manipulated, game over.
- job submission is remote code execution so no, you don't get a CVE for that
I will include dev and CI as targets of attacks and that we do care here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
