So let me understand this correctly: the code of this PR was written by an
AI and whose target audience are AIs?
On 30/05/2026 13:16, potiuk (via GitHub) wrote:
potiuk opened a new pull request, #496:
URL: https://github.com/apache/jspwiki/pull/496
## Summary
This PR adds an initial draft of a project-level security
threat-model document (`draft-THREAT-MODEL.md`) so that automated
security scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
- *(documented)* — paraphrased from public artefacts (this repo,
the project website, the JSPWiki Security and CVE wiki pages),
cited inline.
- *(inferred)* — synthesised from code structure or domain
knowledge; the PMC has not confirmed.
- *(maintainer)* — confirmed by a JSPWiki PMC member in response
to this draft. (1 in this initial draft — Juan Pablo's Path-3 +
scope confirmation from the GLASSWING thread.)
Draft stats:
- ~40 documented claims (incl. the wiki Security + CVE pages,
folded into the appendix back-map after the initial draft)
- ~27 inferred claims (each maps to a §14 question)
- 37 open questions for maintainers in §14, grouped in 6 waves
(meta + external-artefact reconciliation / SecurityManager /
XSS + markup parser / auth + attachments / environment +
side-effects / meta finalization)
§14 is the highest-leverage section: answering each question
either promotes one *(inferred)* tag to *(maintainer)* or corrects
the underlying claim.
## Why "draft-" prefix?
The file is named `draft-THREAT-MODEL.md` rather than
`SECURITY-THREAT-MODEL.md` because **this is a proposal for the
PMC to review — please correct, reject, or discuss as needed.**
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (`AGENTS.md` → `SECURITY.md` → the model) added so
scanners can mechanically follow the chain.
## What this is, and what it is not
This is **not** a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a JSPWiki vulnerability or
about operator misconfiguration / an out-of-scope concern.
JSPWiki's wiki-engine domain (untrusted user-supplied markup
rendering, optional plugin execution, attachment handling, JAAS
container-managed auth) makes §3 / §9 / §11a especially load-
bearing — the model carefully calls out which classes of findings
the PMC has historically ruled non-issues vs. valid.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
## How to review
1. **§14 first.** Q1 (back-map of the wiki Security + CVE pages),
Q9 (the SecurityManager-not-supported question — single
highest-impact open ruling), and Q37 (§11a population from
historical XSS-class CVE clusters) are the three most
load-bearing.
2. After that, please skim §3 (out-of-scope) and §13 (triage
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
`[email protected]` thread, whichever fits the PMC's workflow.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
...........................................................................
Murray Altheim <murray18 at altheim dot com> = = ===
http://www.altheim.com/murray/ === ===
= = ===
In the evening
The rice leaves in the garden
Rustle in the autumn wind
That blows through my reed hut.
-- Minamoto no Tsunenobu
