sha174n opened a new pull request, #38653: URL: https://github.com/apache/superset/pull/38653
<!--- Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/ Example: fix(dashboard): load charts correctly --> ### SUMMARY <!--- Describe the change below, including rationale and design decisions --> Expands and clarifies Apache Superset's security reporting documentation across two files: - **`.github/SECURITY.md`** - Added submission standards: plain-text format requirement, mandatory AI/LLM disclosure, and human-verified PoC requirement - Defined explicit out-of-scope categories (Admin-only attack vectors, brute force/DoS, theoretical/unverified findings) - Added CVE aggregation policy based on MITRE CNA Operational Rules 4.1.10, 4.1.11, and 4.2.13 - Clarified outcome handling: borderline reports may be converted to public GitHub issues for community hardening - **`docs/admin_docs/security/security.mdx`** - Added a threat model section under the Admin role explaining that Admin is a fully trusted operational boundary - Clarified that actions taken with Admin privileges are intended capabilities, not vulnerabilities, and are ineligible for CVE assignment per MITRE CNA Rule 4.1 ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> ### TESTING INSTRUCTIONS <!--- Required! What steps can be taken to manually verify the changes? --> ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
