This is an automated email from the ASF dual-hosted git repository.
ChristopherSchultz pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4b0cb3905f Add AGENTS.md + SECURITY.md linking the project's security
model
4b0cb3905f is described below
commit 4b0cb3905f244334438af92b3e5947e7c03f54fc
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 14 23:36:20 2026 +0200
Add AGENTS.md + SECURITY.md linking the project's security model
These two small files at the repo root let an automated agent
mechanically discover the project's existing security model
via the conventional AGENTS.md -> SECURITY.md chain. Both new
files are pointers; nothing about the substantive content of
the model at https://tomcat.apache.org/security-model.html
changes.
Proposed by the ASF Security team while preparing the project
for a Glasswing agentic security scan. The scan refuses to run
if the model is not discoverable by that path; refusing
upfront beats wasting PMC reviewer cycles on a noise-heavy run
against a model the agent never found. Discoverability is the
only hard gate; everything else is suggestion.
Generated-by: Claude Code (Claude Opus 4.7)
---
AGENTS.md | 17 +++++++++++++++++
SECURITY.md | 14 ++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000000..80030edf14
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,17 @@
+# Agent guidance
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository. It
+points them at the human-authored references they should
+consult before producing output.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md), which links to
+the canonical model document at
+<https://tomcat.apache.org/security-model.html>.
+
+Agents that scan this repository should consult the linked
+security model for the project's threat model, in-scope /
+out-of-scope declarations, and known non-findings before
+reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..db79646e0c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security
+
+Apache Tomcat's security model and disclosure process are
+published on the project website rather than in the repository:
+
+- **Threat model and security policy**:
+ <https://tomcat.apache.org/security-model.html>
+- **How to report a vulnerability**: see the Security section
+ of <https://tomcat.apache.org/>.
+
+The project website is the authoritative source; this file
+exists so agents and tooling that look for `SECURITY.md` in
+the repository can mechanically follow the link to the
+canonical documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
