potiuk opened a new pull request, #6709: URL: https://github.com/apache/jmeter/pull/6709
## What this is A **draft threat model** for Apache JMeter, proposed by the ASF Security team for the JMeter PMC to review, correct, or reject — drafted by the Security team's threat-model tooling from JMeter's public docs and `security.html`, following the [ASF Security threat-model rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). It is **built on the existing `security.html`**: that page's "Security Model" statements are lifted in verbatim as the documented core, and this document adds the surrounding threat-model structure (adversary model, in/out scope, properties, known non-findings, triage dispositions). It is a **strict superset** — nothing in `security.html` is weakened; that page stays the canonical reporting/policy page and should link here for the expanded model. This PR: - adds `THREAT_MODEL.md` — the draft model; - adds `SECURITY.md` — a short security policy linking the threat model (and `security.html`); - adds `AGENTS.md` with a `## Security` section, so the chain `AGENTS.md → SECURITY.md → THREAT_MODEL.md` is mechanically discoverable by automated security scanners. ## How to read it Every claim is provenance-tagged: *(documented)* (from JMeter's docs/`security.html`/repo), *(inferred)* (reasoned from architecture, **not yet confirmed**), *(maintainer)* (confirmed by the PMC). This v0 is ~10 documented / ~26 inferred. The **§14 Open questions** section collects the inferred claims into waves for the PMC to confirm or correct. The model leads with the documented `BY-DESIGN` core — JMeter executes the (trusted) test plan it is given, and isolating untrusted `.jmx` is the user's responsibility — and then focuses the in-model boundaries on: - the **distributed-mode RMI surface** (`jmeter-server`) and its RMI-over-SSL + Security-Manager defaults (wave 1); - the **opening-vs-running** line for non-`.jmx` files (wave 2); - whether a **hostile system-under-test**'s responses are in scope for JMeter's parsers (wave 2); - the forward isolation story given the JDK Security Manager's deprecation (wave 2). Nothing here is a requirement — the model is for the PMC to own. Comment inline, edit the branch, or reply on the email thread. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
