Add SECURITY.md pointing at security-model + reporting flow#8275
Open
potiuk wants to merge 2 commits into
Open
Add SECURITY.md pointing at security-model + reporting flow#8275potiuk wants to merge 2 commits into
potiuk wants to merge 2 commits into
Conversation
Apache HBase already has a substantive threat model published at https://hbase.apache.org/security-model/ and AGENTS.md already references it (Security Model section). This commit adds the conventional GitHub-recognised SECURITY.md at the repo root so the discoverability chain is canonical (AGENTS.md -> SECURITY.md -> security-model page) and the standard GitHub 'Report a vulnerability' affordance lands on the right policy text. Per request on the Apache HBase scan-onboarding thread ([GLASSWING] HBase, May 2026).
Makes the canonical discovery chain explicit: AGENTS.md -> SECURITY.md -> https://hbase.apache.org/security-model/ Previously AGENTS.md linked directly to the published page, which works for agents but skips the conventional SECURITY.md hop. With this change SECURITY.md is the single 'where to find the model + how to report' entry point and AGENTS.md routes through it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the canonical discovery chain for the security model explicit
and conventional:
Two files changed:
New
SECURITY.mdat the repo root — short pointer to thepublished model at https://hbase.apache.org/security-model/
and to the
security@apache.orgreporting flow. Intentionallydoesn't restate the model; the published page stays the source
of truth.
AGENTS.md— Security Model section updated — previouslylinked the published page directly; now routes through
SECURITY.mdso the discovery chain is canonical. Same targetURL on the other end.
Why
Two practical drivers:
GitHub UI affordance. GitHub's "Report a vulnerability"
link surfaces the contents of
SECURITY.mdat the repo root.Without one, well-meaning reporters file public issues or PRs
against what they perceive as security gaps. Having a one-page
pointer to the threat model +
security@apache.orgreducesthat risk.
Agent-driven security tooling discovery. The ASF Security
team's tooling looks for threat-model references through the
AGENTS.md→SECURITY.md→ published model chain.Apache HBase already had the first and third pieces (the
AGENTS.mdSecurity Model section + the/security-model/page); this commit adds the middle pointerso the chain is mechanically followable for anything that
expects the conventional shape.
This is requested as part of the HBase opt-in to the ASF
Security team's coordinated scan onboarding (the May 2026
[GLASSWING]thread onprivate@hbase.apache.org); therequest to open this specifically came from Andrew Purtell on
that thread.
What this PR does NOT do
model stays at https://hbase.apache.org/security-model/
(sourced from
hbase-website/app/pages/_landing/security-model/).continue to flow through
security@apache.orgas the publishedpage already documents.
conventions content in
AGENTS.md— only the Security Modelsection's wording.
Test plan
SECURITY.mdon GitHub — confirm the model linkand
security@apache.orgmailto resolve.now surfaces the contents of
SECURITY.md.AGENTS.mdSecurity Model section reads as acanonical chain (
AGENTS.md → SECURITY.md → /security-model/).git log --oneline -2on the branch shows the twologically-separate commits (one per file) so reviewers
can read them independently.