potiuk opened a new pull request, #497: URL: https://github.com/apache/jspwiki/pull/497
**This is a draft proposal for the JSPWiki PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainers are the decision-makers, and this document describes JSPWiki *as the PMC says it is*, not as anyone thinks it should be. This PR adds three files: - **`THREAT_MODEL.md`** — a v0 threat model: what JSPWiki treats as in/out of scope, the trust boundaries and adversary model, the security properties it claims and disclaims (stored-XSS sanitization, ACL enforcement, attachment containment, …), the well-known wiki-engine attack classes left to the operator, and a closed set of triage dispositions. - **`SECURITY.md`** — a security policy pointing at the ASF reporting process and linking the threat model. - **`AGENTS.md`** — so an automated scan agent can mechanically find the model via the conventional `AGENTS.md → SECURITY.md → THREAT_MODEL.md` chain. **It is draft-first and mostly inferred.** Confidence is roughly *14 documented / 0 maintainer / 58 inferred* — every `*(inferred)*` claim is the agent's hypothesis from the code structure and wiki-engine domain norms, and each routes to a numbered question in **§14 Open questions**. The fastest way to review is to walk §14 (three short waves) and answer in-thread; we then promote the `*(inferred)*` tags to `*(maintainer)*` and the model firms up. The highest-leverage answers are the **wave-1** ones (default anonymous-edit posture, default markup engine + raw-HTML handling, whether the asserted cookie is ever used for a security decision) — they reshape several later sections. Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; a complete, discoverable threat model is what keeps that scan's output signal-rich instead of noise. We drafted this via the [threat-model-producer](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. If you'd rather author the model yourselves, close this PR and we'll regroup — the offer is just to save you the blank page. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
