Jarek Potiuk created HBASE-30181:
------------------------------------
Summary: Add SECURITY.md pointing at security-model + reporting
flow
Key: HBASE-30181
URL: https://issues.apache.org/jira/browse/HBASE-30181
Project: HBase
Issue Type: Task
Reporter: Jarek Potiuk
Adds a canonical discoverability chain for the project's security
model:
AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/
Two files touched in PR https://github.com/apache/hbase/pull/8275 :
- New SECURITY.md at the repo root - short pointer to the
published model at https://hbase.apache.org/security-model/
and to the [email protected] reporting flow.
- AGENTS.md Security Model section updated to route through
SECURITY.md (same target URL on the other end).
Two practical drivers:
1. GitHub's "Report a vulnerability" UI affordance surfaces
the contents of SECURITY.md at the repo root. Without one,
well-meaning reporters file public issues against perceived
security gaps.
2. Agent-driven security tooling discovery - the ASF Security
team's coordinated scan tooling looks for threat-model
references through the AGENTS.md -> SECURITY.md -> published
model chain.
Filed at the request of the HBase PMC on the [GLASSWING] thread
on [email protected] (Andrew Purtell asked us to open
the PR; Duo Zhang requested the JIRA-id retitling per HBase
convention).
This issue exists purely to satisfy the HBase JIRA-id-in-title
convention; no code or behavior change beyond the PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
