This is an automated email from the ASF dual-hosted git repository.
ndimiduk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new 52e6fdf107f HBASE-30181 Add SECURITY.md pointing at security-model +
reporting flow (#8275)
52e6fdf107f is described below
commit 52e6fdf107fa0839de8642f3ae4ba06c86b6199e
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun May 31 18:49:15 2026 +0200
HBASE-30181 Add SECURITY.md pointing at security-model + reporting flow
(#8275)
* Add SECURITY.md pointing at security-model and reporting flow
Apache HBase already has a substantive threat model published at
https://hbase.apache.org/security-model/ and AGENTS.md already
references it (Security Model section). This commit adds the
conventional GitHub-recognised SECURITY.md at the repo root so the
discoverability chain is canonical (AGENTS.md -> SECURITY.md ->
security-model page) and the standard GitHub 'Report a
vulnerability' affordance lands on the right policy text.
Per request on the Apache HBase scan-onboarding thread
([GLASSWING] HBase, May 2026).
* Update AGENTS.md Security Model section to reference SECURITY.md
Makes the canonical discovery chain explicit:
AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/
Previously AGENTS.md linked directly to the published page, which works
for agents but skips the conventional SECURITY.md hop. With this change
SECURITY.md is the single 'where to find the model + how to report'
entry point and AGENTS.md routes through it.
---
AGENTS.md | 13 +++++++++----
SECURITY.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/AGENTS.md b/AGENTS.md
index a1ef12e9658..cebf7b26c3d 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -183,10 +183,15 @@ LLM context ingestion.
## Security Model
-The project's security model is documented at
-`hbase-website/app/pages/_landing/security-model/content.md`
-(published at https://hbase.apache.org/security-model).
-Read that document for the full security model including trust boundaries,
+The project's security model is the entry point for any security analysis
+of this codebase. The canonical chain for discovering it is:
+
+ AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/
+
+`SECURITY.md` at the repo root is a short pointer to the published model
+and the `[email protected]` reporting flow. The full model (source at
+`hbase-website/app/pages/_landing/security-model/content.md`, published
+at <https://hbase.apache.org/security-model/>) details trust boundaries,
what constitutes a valid vulnerability, and what does not.
When performing security analysis of this codebase, use the navigation
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000..0193f0b4d6f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,46 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report a security vulnerability in Apache HBase, please send a
+private email to <[email protected]> — the Apache Software
+Foundation security team. Do **not** open a public GitHub issue or
+pull request, as that risks disclosure before a fix is available.
+
+The Apache HBase PMC is looped in privately as part of the standard
+ASF disclosure process. See <https://www.apache.org/security/> for
+the overall ASF vulnerability handling flow.
+
+## Threat Model
+
+Apache HBase's security model — trust boundaries, what constitutes a
+valid vulnerability report, and what does not — is documented at:
+
+ <https://hbase.apache.org/security-model/>
+
+Please read that document before filing a report so the PMC can triage
+quickly and accurately.
+
+## Tooling notes
+
+Agents and automated security tools analyzing this repository should
+also consult [`AGENTS.md`](./AGENTS.md), which references the same
+security model as the authoritative scope document.
