Jarek Potiuk created HDDS-15465:
-----------------------------------
Summary: Add a project threat model and security-model
discoverability (AGENTS.md, SECURITY.md)
Key: HDDS-15465
URL: https://issues.apache.org/jira/browse/HDDS-15465
Project: Apache Ozone
Issue Type: Task
Reporter: Jarek Potiuk
The ASF Security team is piloting improved security-model discoverability so
that automated security scanners can locate a project's threat model via the
standard AGENTS.md -> SECURITY.md chain.
This issue tracks adding the following to apache/ozone, for the Ozone PMC to
review:
- THREAT_MODEL.md — a draft project threat model (scope; trust boundaries; the
OM/SCM metadata+block RPC, DataNode block-token data plane, and S3-gateway
surfaces; Kerberos + delegation/block-token auth; ACLs/Ranger; known
non-findings; triage dispositions). Drafted against the Michael Scovetta
threat-model rubric; every claim is provenance-tagged and the open questions
for the PMC are collected in a dedicated section.
- A "## Threat Model" pointer appended to the existing SECURITY.md (the
reporting policy is unchanged).
- AGENTS.md wiring AGENTS.md -> SECURITY.md -> THREAT_MODEL.md so scanners
follow one canonical model.
It is a draft for the PMC to confirm, correct, or reject. PR to follow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
