From a87041e22a67b45e2862808e53e04a34d8b9342d Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 18 May 2026 00:48:46 +0200 Subject: [PATCH 1/3] Add SECURITY.md + AGENTS.md Security section for scan-agent discoverability Adds a SECURITY.md to the repo root and a Security section at the end of the existing AGENTS.md so an automated scan agent can mechanically discover the project's security model via the conventional AGENTS.md -> SECURITY.md -> model URL chain. The chain terminates at the existing https://spark.apache.org/docs/latest/security.html document. Generated-by: Claude Code (Claude Opus 4.7) --- AGENTS.md | 8 ++++++++ SECURITY.md | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 SECURITY.md diff --git a/AGENTS.md b/AGENTS.md index 28944c9d78108..870dff8150ec7 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -155,3 +155,11 @@ DO NOT push to the upstream repo. Always push to the personal fork. Open PRs aga DO NOT force push or use `--amend` on pushed commits unless the user explicitly asks. If the remote branch has new commits, fetch and rebase before pushing. Always get user approval before external operations such as pushing commits, creating PRs, or posting comments. Use `gh pr create` to open PRs. If `gh` is not installed, generate the GitHub PR URL for the user and recommend installing the GitHub CLI. + +## Security + +Security model: [SECURITY.md](./SECURITY.md) + +Agents that scan this repository should consult `SECURITY.md` +for the project's threat model, in-scope / out-of-scope +declarations, and known non-findings before reporting issues. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000000..de69c20ab2aea --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security policy + +## Reporting a vulnerability + +To report a security vulnerability in Apache Spark, follow the +ASF security process at . +Reports can be sent privately to security@apache.org or to +security@spark.apache.org. + +## Threat model + +Apache Spark's security guidance for operators — covering +authentication, encryption, access control, Kerberos +integration, trust boundaries, environmental assumptions, +security properties provided and not provided, and downstream +operator responsibilities — is documented at: + + + +Automated security scanning agents should consult that +document for the project's in-scope / out-of-scope +declarations before reporting issues. From 98050dc5ddc89345fba2a1e17889d3b785347231 Mon Sep 17 00:00:00 2001 From: Xiao Li Date: Thu, 21 May 2026 15:35:34 -0700 Subject: [PATCH 2/3] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index de69c20ab2aea..aa4426d2bb61d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ To report a security vulnerability in Apache Spark, follow the ASF security process at . Reports can be sent privately to security@apache.org or to -security@spark.apache.org. +private@spark.apache.org. ## Threat model From 0998f043b3b307646975e8e13801e3335a2cd220 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Fri, 22 May 2026 12:02:09 +0200 Subject: [PATCH 3/3] Address review: remove manual line breaks (per cloud-fan) Per the existing style in AGENTS.md (paragraphs are single long lines; markdown renderers handle wrap), unwrap the added Security section in AGENTS.md and the body paragraphs in SECURITY.md. Generated-by: Claude Code (Claude Opus 4.7) --- AGENTS.md | 4 +--- SECURITY.md | 15 +++------------ 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 870dff8150ec7..c37d8a1304217 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -160,6 +160,4 @@ Always get user approval before external operations such as pushing commits, cre Security model: [SECURITY.md](./SECURITY.md) -Agents that scan this repository should consult `SECURITY.md` -for the project's threat model, in-scope / out-of-scope -declarations, and known non-findings before reporting issues. +Agents that scan this repository should consult `SECURITY.md` for the project's threat model, in-scope / out-of-scope declarations, and known non-findings before reporting issues. diff --git a/SECURITY.md b/SECURITY.md index aa4426d2bb61d..26b540d81ab53 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,21 +2,12 @@ ## Reporting a vulnerability -To report a security vulnerability in Apache Spark, follow the -ASF security process at . -Reports can be sent privately to security@apache.org or to -private@spark.apache.org. +To report a security vulnerability in Apache Spark, follow the ASF security process at . Reports can be sent privately to security@apache.org or to private@spark.apache.org. ## Threat model -Apache Spark's security guidance for operators — covering -authentication, encryption, access control, Kerberos -integration, trust boundaries, environmental assumptions, -security properties provided and not provided, and downstream -operator responsibilities — is documented at: +Apache Spark's security guidance for operators — covering authentication, encryption, access control, Kerberos integration, trust boundaries, environmental assumptions, security properties provided and not provided, and downstream operator responsibilities — is documented at: -Automated security scanning agents should consult that -document for the project's in-scope / out-of-scope -declarations before reporting issues. +Automated security scanning agents should consult that document for the project's in-scope / out-of-scope declarations before reporting issues.