potiuk opened a new pull request, #920: URL: https://github.com/apache/nutch/pull/920
**This is a proposal for the PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainer is the decision-maker. ## What this PR does Adds two new files at the repo root: - **`AGENTS.md`** — agent-instructions file with a Security section linking to `SECURITY.md`. The conventional first stop for automated agents (security scanners, code analyzers, AI assistants) operating on this repository. - **`SECURITY.md`** — short pointer to the canonical security documents on the project website at <https://nutch.apache.org/documentation/security/>, plus the standard ASF reporting flow (`[email protected]`). No threat-model content is duplicated — the website stays the source of truth. Together they make the conventional `AGENTS.md → SECURITY.md → website` discoverability chain mechanically followable. ## Why Two practical drivers: 1. **GitHub UI affordance.** GitHub's "Report a vulnerability" button surfaces the contents of `SECURITY.md` at the repo root. Without one, well-meaning reporters file public issues against perceived security gaps. The new `SECURITY.md` redirects them to the website's threat-model + reporting flow. 2. **Agent-driven security tooling discovery.** An automated agentic security scan the ASF Security team is piloting needs to mechanically locate the project's threat model via the conventional `AGENTS.md → SECURITY.md` chain at the designated commit. Without that chain resolving, the scan refuses to run (refusing upfront beats wasting reviewer cycles on a noise-heavy run against an unknown model). The PMC opted in on a private thread with the ASF Security team; Sebastian Nagel picked option (b) — Security team opens the PR — in his 2026-05-26 reply. ## What this PR does NOT do - It does **not** alter the existing security model. The model at <https://nutch.apache.org/documentation/security/#security-model> stays the source of truth. - It does **not** introduce a new reporting alias. Reports continue to flow through `[email protected]`. - It does **not** touch other repository files. Per Sebastian's "template or incomplete version, we can complete during PR review" note: this is exactly that — minimal scaffolding that lets the discoverability chain pass mechanically. The PMC can extend `AGENTS.md` over time with project-specific guidance for AI coding agents (general contribution rules, build conventions, etc.) — it's the agent-instruction file the security pointer lives in. Questions / pushback / scope expansion welcome. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
