This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit f64683fe2649c7eedb4c7db3a96113858c9bca8d Author: Mark Thomas <[email protected]> AuthorDate: Fri May 15 07:47:05 2026 +0100 Add AGENTS.md and SECURITY.md to support AI security scans --- AGENTS.md | 17 +++++++++++++++++ SECURITY.md | 14 ++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 000000000..80030edf1 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,17 @@ +# Agent guidance + +This file is read by automated agents (security scanners, code +analyzers, AI assistants) operating on this repository. It +points them at the human-authored references they should +consult before producing output. + +## Security + +Security model: [SECURITY.md](./SECURITY.md), which links to +the canonical model document at +<https://tomcat.apache.org/security-model.html>. + +Agents that scan this repository should consult the linked +security model for the project's threat model, in-scope / +out-of-scope declarations, and known non-findings before +reporting issues. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..db79646e0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,14 @@ +# Security + +Apache Tomcat's security model and disclosure process are +published on the project website rather than in the repository: + +- **Threat model and security policy**: + <https://tomcat.apache.org/security-model.html> +- **How to report a vulnerability**: see the Security section + of <https://tomcat.apache.org/>. + +The project website is the authoritative source; this file +exists so agents and tooling that look for `SECURITY.md` in +the repository can mechanically follow the link to the +canonical documents. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
