potiuk opened a new pull request, #13457: URL: https://github.com/apache/apisix/pull/13457
## Summary This PR adds the Apache APISIX project security threat-model document at `docs/en/latest/security-threat-model.md`, along with the discoverability scaffold (`AGENTS.md` + `SECURITY.md`) so automated security scanners and triagers can mechanically locate it. The threat model articulates Apache APISIX's trust boundaries, in-scope vs. out-of-scope finding categories, the per-component properties the project provides (and explicitly does not), and the closed-set triage dispositions a maintainer applies to inbound reports. ## Provenance This document was produced through a two-step process in the 2026-05-15 / 2026-05-29 thread on `[email protected]` between the ASF Security team and PMC chair Ming Wen: 1. **Initial draft** generated against APISIX's public artefacts (admin-api docs, plugin-develop docs, deployment-modes docs, external-plugin docs, ssl-protocol docs, the dashboard's `req.ts`, etc.). Every claim carried a provenance tag: *(documented)* — paraphrased from public artefacts and cited inline; *(inferred)* — synthesised from code structure or domain knowledge, awaiting PMC confirmation; *(maintainer)* — confirmed by an Apache APISIX PMC member. 2. **PMC ratification** — Ming Wen answered all 28 §4.14 open questions on 2026-05-15 12:21Z. The 27 questions promoted in this document map *(inferred)* → *(maintainer)*. The 28th (q-21, dashboard admin-key persistence) was resolved differently — see "Scope note" below. Confidence count: ~70 documented / 28 maintainer / 0 inferred. The §4.14 section is preserved with answers in place for traceability. ## Scope note The current scan scope is **apache/apisix + apache/apisix-ingress-controller**. apache/apisix-dashboard is explicitly out of scope per the PMC chair's 2026-05-26 message on the same thread. The dashboard appears in this document only as a §4.11a known-non-finding entry; the §4.8 admin-key-storage property the dashboard would have carried is tracked in a separate PR against apache/apisix-dashboard (the `atomWithStorage → atom` change). Dashboard re-enters scope under the §4.12 trigger when the fix lands. ## Why a project threat model The document is **not** a security audit. It is a working triage reference — the document a maintainer holds against an inbound report to decide whether the report is about an APISIX vulnerability or about operator misconfiguration / an out-of-scope concern. The §4.13 closed-set dispositions, the §4.11a known-non-findings list, and the §4.9 explicit non-properties section are the three highest-leverage parts for maintainers. The document also feeds an automated agentic security scan being piloted by the ASF Security team — the `AGENTS.md` entrypoint is what lets that scan locate the model without human intervention. The model is the operative document regardless of any specific scan; the discoverability scaffold is independent. ## How to review The §4.14 section preserves the 28 questions Ming answered, so the easiest way to verify the document is correct is to re-read the answers and confirm each maps to the right §-section claim. A spot-check on §4.3, §4.8, §4.10, and §4.11a covers most of the substantive content. Reply edits / corrections inline on the PR, or back on the original `[email protected]` thread. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
