From 396181014ea43e0b60f792f6e166c8fd91d54c7a Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 6 Jul 2026 23:52:38 +0200 Subject: [PATCH 1/3] Add AGENTS.md + SECURITY.md wiring for security-model discoverability apache/cloudstack carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in #13293) but no AGENTS.md/SECURITY.md chain leading to it. Add SECURITY.md (ASF disclosure pointer + a link to the model) and AGENTS.md (Security section pointing at SECURITY.md) so an automated scanner can follow AGENTS.md -> SECURITY.md -> draft-THREAT-MODEL.md. The threat-model content is untouched. Generated-by: Claude Code (Claude Opus 4.8) --- AGENTS.md | 32 ++++++++++++++++++++++++++++++++ SECURITY.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 AGENTS.md create mode 100644 SECURITY.md diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 000000000000..741dfa7d997d --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,32 @@ + + +# Agent Guide for cloudstack + +This file is read by automated agents (security scanners, code +analyzers, AI assistants) operating on this repository. + +## Security + +Security model: [SECURITY.md](./SECURITY.md) + +Agents that scan this repository should consult `SECURITY.md` and the +threat model it links before reporting issues. + +The project-wide security threat model lives in draft-THREAT-MODEL.md (merged via #13293); SECURITY.md points to it. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..313f7ac60ff5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ + + +# Security Policy + +## Reporting a Vulnerability + +`apache/cloudstack` follows the [Apache Software Foundation security process](https://www.apache.org/security/). Please report suspected +vulnerabilities privately to `security@apache.org`; do not open public +GitHub issues or pull requests for security reports. + +## Threat Model + +What the project treats as in scope and out of scope, the security +properties it provides and disclaims, the adversary model, and how +findings are triaged are documented in the project-wide threat model: +[draft-THREAT-MODEL.md](draft-THREAT-MODEL.md). From b2ef04c58844b2a15c46df4d2ad7c9358e2641ac Mon Sep 17 00:00:00 2001 From: dahn Date: Mon, 13 Jul 2026 08:00:00 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- AGENTS.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 741dfa7d997d..4469efa2f494 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -17,7 +17,7 @@ specific language governing permissions and limitations under the License. --> -# Agent Guide for cloudstack +# Agent Guide for Apache CloudStack This file is read by automated agents (security scanners, code analyzers, AI assistants) operating on this repository. @@ -29,4 +29,4 @@ Security model: [SECURITY.md](./SECURITY.md) Agents that scan this repository should consult `SECURITY.md` and the threat model it links before reporting issues. -The project-wide security threat model lives in draft-THREAT-MODEL.md (merged via #13293); SECURITY.md points to it. +The project-wide security threat model is linked from `SECURITY.md`. From bfed7eea959cce8dda23f56bc30fe14356d5f3b9 Mon Sep 17 00:00:00 2001 From: dahn Date: Mon, 13 Jul 2026 10:15:58 +0200 Subject: [PATCH 3/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 313f7ac60ff5..ba69c0860243 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,8 +22,9 @@ under the License. ## Reporting a Vulnerability `apache/cloudstack` follows the [Apache Software Foundation security process](https://www.apache.org/security/). Please report suspected -vulnerabilities privately to `security@apache.org`; do not open public -GitHub issues or pull requests for security reports. +vulnerabilities privately to `security@apache.org`; do not open public GitHub issues or pull requests for security reports. + +For more details, see https://cloudstack.apache.org/security.html. ## Threat Model