github-actions[bot] opened a new pull request, #67017: URL: https://github.com/apache/airflow/pull/67017
* docs(security): document supported deployment platforms Add an explicit out-of-scope section for non-Linux platforms to the Security Model. Bugs that only manifest on Windows / macOS / other non-Linux platforms are not eligible for CVE allocation because Airflow does not officially support those platforms as deployment targets. Codifies what was already the security team's practice — most recently the disposition on a 2026-05-14 IMAP-attachment-path-traversal report that only manifested on Windows due to backslash path-separator handling, closed NOT-CVE-WORTHY on this basis. Future Windows-only / macOS-only reports get the same treatment, and reporters can read the rule upfront before submitting. The rule applies symmetrically: a bug that affects Linux is judged on the Linux behavior regardless of whether it also reaches Windows; non-Linux-only bugs are out of scope. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * Apply suggestions from code review Co-authored-by: Jarek Potiuk <[email protected]> --------- (cherry picked from commit ea60a4d6844f39e3c5793468ba75c7e661825aad) Co-authored-by: Jarek Potiuk <[email protected]> Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
