potiuk opened a new pull request, #8275: URL: https://github.com/apache/hbase/pull/8275
## Summary Adds a `SECURITY.md` at the repo root that points contributors at the existing canonical security model at <https://hbase.apache.org/security-model/> and to the ASF Security team's reporting flow (`[email protected]`). `AGENTS.md` already references the same security-model page (see the existing **Security Model** section), so this commit just completes the conventional discovery chain: ``` AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/ ``` The `SECURITY.md` is intentionally short — it doesn't restate the threat model; the canonical page is the source of truth. ## Why now Two practical drivers: 1. **GitHub UI affordance.** GitHub's "Report a vulnerability" link keys on the presence of `SECURITY.md` at the repo root. Without one, well-meaning reporters file public issues or PRs against what they perceive as security gaps. Having a one-page pointer to the threat model + `[email protected]` reduces that risk. 2. **Agent-driven security tooling discovery.** ASF Security team's tooling looks for threat-model references through `AGENTS.md` → `SECURITY.md` → published model. Apache HBase already has the first and third pieces; this commit adds the middle pointer so the chain is mechanically followable for anything that expects the conventional shape. This is requested as part of the HBase opt-in to the ASF Security team's coordinated scan onboarding (the May 2026 `[GLASSWING]` thread on `[email protected]`); the request to open this specifically came from Andrew Purtell on that thread. ## What this PR does NOT do - It does **not** modify `AGENTS.md` — the existing **Security Model** section in `AGENTS.md` already links to the same `/security-model/` page, so the agent-discovery chain works unchanged. - It does **not** change the threat model itself. The canonical model stays at `https://hbase.apache.org/security-model/` (sourced from `hbase-website/app/pages/_landing/security-model/`). - It does **not** introduce a new reporting alias. Reports continue to flow through `[email protected]` as the page already documents. ## Test plan - [ ] Render `SECURITY.md` on GitHub — confirm links work. - [ ] Confirm GitHub's "Report a vulnerability" UI affordance now surfaces the contents of `SECURITY.md`. - [ ] Verify `AGENTS.md` Security Model section still resolves to `https://hbase.apache.org/security-model/`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
