potiuk opened a new pull request, #4561: URL: https://github.com/apache/polaris/pull/4561
**This is a proposal for the PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainer is the decision-maker. ## What this PR does Adds a `Threat Model` section to `SECURITY.md` pointing at the existing `SECURITY-THREAT-MODEL.md` so the conventional `AGENTS.md → SECURITY.md → model` chain is mechanically complete. No other files touched; no change to the threat-model content itself. ## Why The threat model is already discoverable via `AGENTS.md`'s "Security issues" section, which links directly to `SECURITY-THREAT-MODEL.md`. That works fine for an automated agentic security scan the ASF Security team is piloting — the agent finds the model by reading `AGENTS.md`. The reason for adding the same link from `SECURITY.md` is the **GitHub UI affordance**: the "Report a vulnerability" button surfaces the contents of `SECURITY.md` at the repo root. External security researchers (not just automated agents) land there first when they decide to report something. Right now they see only the generic ASF-process boilerplate; with this change they also see a pointer to the project's threat model, which clarifies what's in scope before they invest time in a report. Same observation Andrew Purtell raised on the HBase PMC thread for their own PR (`apache/hbase#8275`): SECURITY.md is the externally-facing "first stop", and linking the threat model from there shortens the path for reporters. ## What this PR does NOT do - It does **not** change the threat model itself. `SECURITY-THREAT-MODEL.md` stays the source of truth (recently introduced by `apache/polaris#4433`). - It does **not** introduce a new reporting alias. Reports continue to flow through `[email protected]`. - It does **not** alter the `AGENTS.md` discoverability chain, which already works. Questions / pushback welcome. Happy to adjust wording or move the section if the project has a house style. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
