Skip to content

[docs] Add security reporting documentation#3120

Merged
luoyuxia merged 2 commits intoapache:mainfrom
matrixsparse:feature/issue-3074-security-page
Apr 21, 2026
Merged

[docs] Add security reporting documentation#3120
luoyuxia merged 2 commits intoapache:mainfrom
matrixsparse:feature/issue-3074-security-page

Conversation

@matrixsparse
Copy link
Copy Markdown
Contributor

@matrixsparse matrixsparse commented Apr 17, 2026
edited
Loading

What is the purpose of the change

This PR adds a security page describing how to report security issues to the Apache Security Team, satisfying the maturity assessment QU30 requirement.

Brief change log

  • Add website/community/security.md with security reporting guidelines
  • Reference Paimon and OpenDAL's security page structure and wording

Verifying this change

  • Preview the documentation locally using npm start in the website directory
  • Verify the Security page appears in the Community sidebar

Does this pull request introduce a breaking change?

  • No

Documentation

  • New documentation added: security.md

Closes #3074

@luoyuxia luoyuxia requested a review from Copilot April 20, 2026 06:54
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new documentation page outlining how to privately report security vulnerabilities to the Apache Security Team to satisfy maturity assessment QU30.

Changes:

  • Added website/community/security.md security reporting guidelines page
  • Included instructions to email the Apache Security Team and what details to provide
  • Added a sidebar entry via frontmatter (sidebar_position: 8)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread website/community/security.md Outdated
Comment on lines +10 to +14
If you have apprehensions regarding Fluss's security or you discover vulnerability or potential threat, don't hesitate to get in touch with the Apache Security Team by dropping a mail at **security@apache.org**.

In the mail, specify the project name **Fluss** with the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The security team and the Fluss community will get back to you after assessing and analysing the findings.

**PLEASE PAY ATTENTION** to report the security issue on the security email before disclosing it on public domain.
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Several phrases are ungrammatical/awkward and may reduce clarity for a security-reporting process (e.g., missing articles, wrong prepositions, and mixed wording). Consider rewriting for clear, precise instructions (e.g., 'discover a vulnerability or potential threat', 'send an email', 'include reproduction steps', 'before disclosing publicly').

Suggested change
If you have apprehensions regarding Fluss's security or you discover vulnerability or potential threat, don't hesitate to get in touch with the Apache Security Team by dropping a mail at **security@apache.org**.
In the mail, specify the project name **Fluss** with the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The security team and the Fluss community will get back to you after assessing and analysing the findings.
**PLEASE PAY ATTENTION** to report the security issue on the security email before disclosing it on public domain.
If you have concerns regarding Fluss's security or discover a vulnerability or potential threat, please contact the Apache Security Team by sending an email to **security@apache.org**.
In the email, specify the project name **Fluss** and include a description of the issue or potential threat. You are also encouraged to include steps to reproduce the issue. The security team and the Fluss community will get back to you after assessing and analyzing the findings.
**PLEASE PAY ATTENTION** to report the security issue to the security email address before disclosing it publicly.

Copilot uses AI. Check for mistakes.
Comment thread website/community/security.md Outdated

In the mail, specify the project name **Fluss** with the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The security team and the Fluss community will get back to you after assessing and analysing the findings.

**PLEASE PAY ATTENTION** to report the security issue on the security email before disclosing it on public domain.
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instruction is unclear and uses non-idiomatic wording ('on the security email', 'on public domain'). For documentation that may be referenced during incidents, use explicit, unambiguous language (e.g., 'Please report security issues privately to security@apache.org before disclosing publicly'). This reduces the chance of accidental public disclosure.

Suggested change
**PLEASE PAY ATTENTION** to report the security issue on the security email before disclosing it on public domain.
**PLEASE PAY ATTENTION** to report the security issue privately to **security@apache.org** before disclosing it publicly.

Copilot uses AI. Check for mistakes.
@luoyuxia
Copy link
Copy Markdown
Contributor

luoyuxia commented Apr 20, 2026
edited
Loading

@matrixsparse Hi, lgtm to overall. But seems copilot suggestion make it clear. Maybe you can take these suggestions.

@matrixsparse
[ISSUE-3074] Add security reporting documentation
f2fc6ce 
Add a security page describing how to report security issues
to the Apache Security Team, satisfying maturity assessment
QU30 requirement.

Reference:
- Paimon: https://paimon.apache.org/security
- OpenDAL: https://opendal.apache.org/community/security/

Closes apache#3074
@matrixsparse
[docs] Improve security page wording based on review feedback
fc038fe 
Fix grammatical issues and improve clarity in security reporting
guidelines as suggested by Copilot review.

Closes apache#3074
@matrixsparse matrixsparse force-pushed the feature/issue-3074-security-page branch from 9a28ae7 to fc038fe Compare April 20, 2026 14:25
@matrixsparse
Copy link
Copy Markdown
Contributor Author

matrixsparse commented Apr 20, 2026

Hi @luoyuxia, Updated the wording as suggested. PTAL

luoyuxia
luoyuxia approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@luoyuxia luoyuxia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@luoyuxia luoyuxia merged commit 327c6d1 into apache:main Apr 21, 2026
2 checks passed
Ugbot pushed a commit to Ugbot/fluss that referenced this pull request Apr 26, 2026
@matrixsparse
[docs] Add security reporting documentation (apache#3120)
e375c55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@luoyuxia luoyuxia luoyuxia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add a page for reporting security issue

3 participants

@matrixsparse @luoyuxia