This is an automated email from the ASF dual-hosted git repository.
bryancall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 863f5ddc20 Update AGENTS.md and clarify SECURITY.md plugin scope
(#13179)
863f5ddc20 is described below
commit 863f5ddc20ad924472700a1edcdb7d376cf3c4e1
Author: Bryan Call <[email protected]>
AuthorDate: Tue May 19 15:37:45 2026 -0700
Update AGENTS.md and clarify SECURITY.md plugin scope (#13179)
AGENTS.md gains a Security section pointing at SECURITY.md so the
policy is discoverable for coding agents.
SECURITY.md clarifies that shipped plugins, including those under
plugins/experimental/, are in scope for security reporting. The
experimental carve-out is narrowed to experimental features and names
HTTP/3 / QUIC explicitly.
---
AGENTS.md | 5 +++++
SECURITY.md | 8 ++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/AGENTS.md b/AGENTS.md
index 75308cecdf..333da8ba1f 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -383,6 +383,11 @@ MIOBuffer *buffer = (MIOBuffer*)malloc(sizeof(MIOBuffer));
- `src/proxy/http/remap/RemapConfig.cc` - URL remapping logic
- `include/ts/ts.h` - Plugin API
+## Security
+
+See [SECURITY.md](SECURITY.md) for the project's security policy, threat model,
+scope, and vulnerability reporting process.
+
## Resources
- Official docs: https://trafficserver.apache.org/
diff --git a/SECURITY.md b/SECURITY.md
index be75009149..8d46386e9b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -16,7 +16,11 @@ Administrative users are always considered to be trusted.
Reports for vulnerabil
Security-sensitive information may be logged with modified logging
configurations, particularly if debug logging is enabled.
-Experimental features and plugins are known unstable and not supposed to be
used on production. We do not consider
-vulnerabilities in those as security issues. You may report vulnerabilities in
those publicly on our public lists or GitHub. However, please
+Experimental features are known unstable and not supposed to be used on
production. We do not consider
+vulnerabilities in those as security issues. This explicitly includes HTTP/3
and QUIC support, which remain
+experimental. You may report vulnerabilities in those publicly on our public
lists or GitHub. However, please
contact us privately, if you believe the vulnerabilities you find are serious,
or if you are not sure whether you should report the
vulnerabilities publicly.
+
+Plugins shipped with Traffic Server, including those under
`plugins/experimental/`, are in scope for security
+reporting. Please report vulnerabilities in those through the private security
mailing list following the process above.
