[
https://issues.apache.org/jira/browse/HBASE-30181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HBASE-30181:
-----------------------------------
Labels: pull-request-available (was: )
> Add SECURITY.md pointing at security-model + reporting flow
> -----------------------------------------------------------
>
> Key: HBASE-30181
> URL: https://issues.apache.org/jira/browse/HBASE-30181
> Project: HBase
> Issue Type: Task
> Reporter: Jarek Potiuk
> Priority: Major
> Labels: pull-request-available
>
> Adds a canonical discoverability chain for the project's security
> model:
> AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/
> Two files touched in PR https://github.com/apache/hbase/pull/8275 :
> - New SECURITY.md at the repo root - short pointer to the
> published model at https://hbase.apache.org/security-model/
> and to the [email protected] reporting flow.
> - AGENTS.md Security Model section updated to route through
> SECURITY.md (same target URL on the other end).
> Two practical drivers:
> 1. GitHub's "Report a vulnerability" UI affordance surfaces
> the contents of SECURITY.md at the repo root. Without one,
> well-meaning reporters file public issues against perceived
> security gaps.
> 2. Agent-driven security tooling discovery - the ASF Security
> team's coordinated scan tooling looks for threat-model
> references through the AGENTS.md -> SECURITY.md -> published
> model chain.
> Filed at the request of the HBase PMC on the [GLASSWING] thread
> on [email protected] (Andrew Purtell asked us to open
> the PR; Duo Zhang requested the JIRA-id retitling per HBase
> convention).
> This issue exists purely to satisfy the HBase JIRA-id-in-title
> convention; no code or behavior change beyond the PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
