sha174n opened a new pull request, #40332: URL: https://github.com/apache/superset/pull/40332
## Summary Expands the "Out of Scope Vulnerabilities" section in SECURITY.md to clarify common vulnerability report categories that fall outside our security scope. ## Changes Added clarifications for: - **User enumeration** through API responses or timing differences - **Low-impact information disclosure** (versions, generic errors, stack traces) - **Resource exhaustion requiring authentication** - **Missing security headers** without demonstrable exploit scenarios ## Why This Change - Reduces triage overhead for common low-impact findings - Aligns with exclusion patterns from other Apache projects (Kafka, Tomcat, HTTP Server) - Helps manage high-volume AI-generated security reports - Focuses engineering effort on genuine architectural risks ## Context Based on patterns observed in recent vulnerability reports and consultation with Apache Security Team feedback on user enumeration findings. No changes to actual security implementation - this is purely documentation clarification of existing triage practices. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
