Skip to content

docs: expand out-of-scope vulnerability definitions#40332

Merged
hainenber merged 6 commits into
apache:masterfrom
sha174n:docs/expand-security-scope-exclusions
May 22, 2026
Merged

docs: expand out-of-scope vulnerability definitions#40332
hainenber merged 6 commits into
apache:masterfrom
sha174n:docs/expand-security-scope-exclusions

Conversation

@sha174n
Copy link
Copy Markdown
Contributor

@sha174n sha174n commented May 21, 2026
edited
Loading

Summary

Adds a broader impact-based vulnerability definition and expands out-of-scope categories in SECURITY.md to improve security report triage efficiency.

Changes

New vulnerability definition: Establishes impact-based criteria focusing on meaningful threats to confidentiality, integrity, or availability beyond the intended security model.

Expanded out-of-scope categories:

  • User enumeration through API responses or timing differences
  • Low-impact information disclosure (versions, generic errors, stack traces)
  • Resource exhaustion requiring authentication
  • Missing security headers without demonstrable exploit scenarios

Why This Change

  • Reduces triage overhead for common low-impact findings
  • Focuses engineering effort on genuine architectural risks rather than technical edge cases
  • Aligns with Apache project patterns observed in Kafka, Tomcat, and HTTP Server
  • Addresses AI-generated report volume by clarifying scope boundaries

Context

The impact-based definition allows classification of exploitable but low-impact edge cases as hardening improvements rather than CVE-worthy vulnerabilities. This approach balances security rigor with practical resource allocation.

No changes to actual security implementation - purely documentation clarification of triage practices.

@sha174n
docs: expand out-of-scope vulnerability definitions
90236ea 
Add clarifications for common vulnerability report categories that fall
outside our security scope to help manage high-volume reporting and
align with other Apache projects:

- User enumeration through API responses or timing differences
- Low-impact information disclosure (versions, generic errors)
- Resource exhaustion requiring authentication
- Missing security headers without demonstrable exploit

This reduces triage overhead while focusing on genuine architectural risks.
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review Bot commented May 21, 2026
edited
Loading

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@dosubot dosubot Bot added the doc Namespace | Anything related to documentation label May 21, 2026
@github-actions github-actions Bot removed the doc Namespace | Anything related to documentation label May 21, 2026
sha174n and others added 5 commits May 21, 2026 14:17
@sha174n
Merge branch 'master' into docs/expand-security-scope-exclusions
446003c
@sha174n
add impact-based vulnerability definition
af26589 
Define vulnerabilities as issues with meaningful impact beyond intended
security model, allowing low-impact technical edge cases to be classified
as hardening rather than vulnerabilities. This provides clearer triage
criteria for boundary variations and access control edge cases.
@sha174n
Merge branch 'docs/expand-security-scope-exclusions' of https://githu…
49f9481 
…b.com/sha174n/superset into docs/expand-security-scope-exclusions
@sha174n
Merge remote-tracking branch 'upstream/master' into docs/expand-secur…
3486357 
…ity-scope-exclusions
@sha174n
Merge remote-tracking branch 'upstream/master' into docs/expand-secur…
5e42e24 
…ity-scope-exclusions
@hainenber
Copy link
Copy Markdown
Contributor

hainenber commented May 22, 2026

I'm fine with this doc expansion, even with AI-ish tone. Helps clarifying a bit on the plausible vulnerability reports.

@hainenber hainenber merged commit 8e98ca6 into apache:master May 22, 2026
61 checks passed
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review Bot commented May 23, 2026

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hainenber hainenber hainenber approved these changes

@villebro villebro Awaiting requested review from villebro villebro is a code owner

@geido geido Awaiting requested review from geido geido is a code owner

@eschutho eschutho Awaiting requested review from eschutho eschutho is a code owner

@rusackas rusackas Awaiting requested review from rusackas rusackas is a code owner

@betodealmeida betodealmeida Awaiting requested review from betodealmeida betodealmeida is a code owner

@nytai nytai Awaiting requested review from nytai nytai is a code owner

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

@craig-rueda craig-rueda Awaiting requested review from craig-rueda craig-rueda is a code owner

@kgabryje kgabryje Awaiting requested review from kgabryje kgabryje is a code owner

@dpgaspar dpgaspar Awaiting requested review from dpgaspar dpgaspar is a code owner

@sadpandajoe sadpandajoe Awaiting requested review from sadpandajoe sadpandajoe is a code owner

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sha174n @hainenber