GitHub user pjfanning edited a discussion: Define a Security Model
With more and more independent security researchers and AI generated security scanning of OSS repos, we probably want a SECURITY.md file. We inherit a Security declaration in GitHub from the Apache Org. It is mainly just a declaration of how to report issues but not what we support. https://github.com/apache/pekko?tab=security-ov-file#readme We also have some more specific details on our website. https://pekko.apache.org/docs/pekko/current/security/index.html The Apache Pekko tooling in this repo has many varied use cases but in the end of the day, we encouraged Pekko users to * never accept inputs from untrusted users * when using Pekko Cluster (and Pekko Remote) that all the nodes are behind a firewall * this is still the case even if you enable TLS and mutual authentication between TLS peers **Don't raise any sensitive topics like security issues or internal ASF discussions here. This discussion is just about defining a detailed security model.** I would welcome scans of the Pekko code base but for me, most issues would probably land as bug reports as opposed to being treated as security issues that have CVEs reported for them. If any security researcher finds this discussion, please read https://pekko.apache.org/docs/pekko/current/security/index.html#reporting-vulnerabilities and the linked documentations. GitHub link: https://github.com/apache/pekko/discussions/3036 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
