potiuk opened a new pull request, #17823: URL: https://github.com/apache/iotdb/pull/17823
## What this is A **draft threat model** for Apache IoTDB, proposed by the ASF Security team for the IoTDB PMC to review, correct, or reject. It is a starting point for discussion, not a finished document. This PR: - adds `THREAT_MODEL.md` — the draft model, following the [ASF Security threat-model rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573); - adds `SECURITY.md` — a short security policy that links the threat model; - appends a `## Security` section to the existing `AGENTS.md`, so the chain `AGENTS.md → SECURITY.md → THREAT_MODEL.md` is mechanically discoverable by automated security scanners. ## How to read it Every claim is provenance-tagged: - *(documented)* — taken from IoTDB's own docs/repo; - *(inferred)* — reasoned from the architecture, **not yet confirmed**; - *(maintainer)* — confirmed by the PMC. This v0 is deliberately inferred-heavy (~14 documented / ~41 inferred). The **§14 Open questions** section collects every inferred claim into four waves for the PMC to confirm or correct — that is where review time is best spent. The highest-impact ones: - deployment posture, and whether the default `root:root` admin is a supported production posture or a documented must-change (wave 1); - whether UDF / Trigger / Pipe / AINode-model server-side code execution is by-design, gated by privilege (wave 3); - where the resource / DoS line sits — is an expensive query a bug? (wave 4). Nothing here is a requirement — the model is for the PMC to own. Comment inline, edit the branch directly, or reply on the email thread; we'll fold in your answers and promote the *(inferred)* tags as they are confirmed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
