Re: [PR] HADOOP-19925. Create a SECURITY.md file to define the security model [hadoop]

Wed, 24 Jun 2026 02:25:57 -0700 


steveloughran commented on PR #8562:
URL: https://github.com/apache/hadoop/pull/8562#issuecomment-4787778175

        looking at interesting third party disclosure docs to see what can be 
lifted
   
   https://github.com/curl/curl/blob/master/docs/VULN-DISCLOSURE-POLICY.md
   
   I like how the introduction must be human generated text. 
   
   I think we should add memory and thread leaks to special topics (or other 
resource consumption)
   
   - those which hurt long-running processes: bugs
   - resource consumption on services which could be initiated by a lower 
privileged remote caller and grow rapidly shall be considered CVEs
   
   Also
   - Native code?
   - tls/openssl algorithms "out of scope as third party lib)
   
   Client side resilience to malicious services
   - clients are expected to be well configured (need to call this out) to talk 
to correct service endpoints, including any web proxies. Lack of resilience to 
malformed responses SHALL be considered bugs, not CVEs. + Mention how this 
applies to cloud storage services, ftp, http urls too. 
   
   ## test code
   
   Bugs except when secrets are logged or if it is possible for malicious code 
to be executed in CI/CD workflows.
   
   ## handling workflow
   
   + define the handling process, including links to asf workflow
   
   - Support calls: reject
   - ai reports: AI triage before human review/reject.
   - human reports: human + AI triage
   
   Downgrade to bug
   - invite submitter to provide pr, create issue, etc, if it is simple
   - complex bugs, expect dev team work
   - bugs get attention with all other work.
   - fix on trunk, backport to supported if not too hard
   
   Accepted vulnerability 
   - asf process
   
   CVE scoring: explain why more ruthless than AI. Recognise desire for 
recognition but that if we don't consider it that important in a well 
configured production system, it gets a low score. Especially 
   - never web/internet facing
   - logs SHOULD be kept private
   - well configured requirement
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to