[
https://issues.apache.org/jira/browse/HDDS-15465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HDDS-15465:
----------------------------------
Labels: pull-request-available (was: )
> Add a project threat model and security-model discoverability (AGENTS.md,
> SECURITY.md)
> --------------------------------------------------------------------------------------
>
> Key: HDDS-15465
> URL: https://issues.apache.org/jira/browse/HDDS-15465
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Jarek Potiuk
> Priority: Major
> Labels: pull-request-available
>
> The ASF Security team is piloting improved security-model discoverability so
> that automated security scanners can locate a project's threat model via the
> standard AGENTS.md -> SECURITY.md chain.
> This issue tracks adding the following to apache/ozone, for the Ozone PMC to
> review:
> - THREAT_MODEL.md — a draft project threat model (scope; trust boundaries;
> the OM/SCM metadata+block RPC, DataNode block-token data plane, and
> S3-gateway surfaces; Kerberos + delegation/block-token auth; ACLs/Ranger;
> known non-findings; triage dispositions). Drafted against the Michael
> Scovetta threat-model rubric; every claim is provenance-tagged and the open
> questions for the PMC are collected in a dedicated section.
> - A "## Threat Model" pointer appended to the existing SECURITY.md (the
> reporting policy is unchanged).
> - AGENTS.md wiring AGENTS.md -> SECURITY.md -> THREAT_MODEL.md so scanners
> follow one canonical model.
> It is a draft for the PMC to confirm, correct, or reject. PR to follow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
