Hello everyone, TL;DR; As of today, the Users of Airflow and Security Researchers have an improved documentation about the security model we have in Airflow that could guide their decisions/reports that will help to keep Airflow more secure.
We have recently formed a new security team as part of improving security vulnerabilities handling in Airflow and one of the things we realized that there is a need to improve our security model, so that two groups are better served: * the users can understand better the model we have and what they should look at to make their Airflow security better: https://airflow.apache.org/docs/apache-airflow/2.6.2/security/index.html#airflow-security-model-user-types * the security researchers got the detailed Security Policy describing the process we use, how the should report issue and what to expect https://github.com/apache/airflow/security/policy We also hope the "user security model" will give researchers a chance to check the model to see if the vulnerability they found is really a vulnerability or just part of the Security Model. Feel free to read those docs and use them when you need to make decisions about securing your Airflow. J.
