potiuk opened a new pull request, #232: URL: https://github.com/apache/polaris-tools/pull/232
**This is a proposal for the PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainer is the decision-maker. ## What this PR does Adds a `Threat Model` section to `SECURITY.md` pointing at the existing `SECURITY-THREAT-MODEL.md` so the conventional `AGENTS.md → SECURITY.md → model` chain is mechanically complete. No other files touched; no change to the threat-model content itself. ## Why The threat model is already discoverable via `AGENTS.md`'s "Understand The Tool First" / "Security Issues" sections, which link directly to `SECURITY-THREAT-MODEL.md`. That works fine for an automated agentic security scan the ASF Security team is piloting — the agent finds the model by reading `AGENTS.md`. The reason for adding the same link from `SECURITY.md` is the **GitHub UI affordance**: the "Report a vulnerability" button surfaces the contents of `SECURITY.md` at the repo root. External security researchers (not just automated agents) land there first when they decide to report something. Right now they see only the generic ASF-process boilerplate; with this change they also see a pointer to the project's threat model, which clarifies the per-tool scope before they invest time in a report. ## What this PR does NOT do - It does **not** change the threat model itself. `SECURITY-THREAT-MODEL.md` (introduced in `apache/polaris-tools#228`) stays the source of truth. - It does **not** introduce a new reporting alias. Reports continue to flow through `[email protected]`. - It does **not** alter the `AGENTS.md` discoverability chain, which already works. Questions / pushback welcome. Happy to adjust wording or move the section if the project has a house style. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
