Add SECURITY.md#3643
Conversation
ppkarwasz
left a comment
There was a problem hiding this comment.
I am looking forward to seeing this merged, great job! 💯
When this is merged, could you make a PR to apache/security-site to give us the location of your threat model (just modify project-coordinates.json).
Alternatively, there is a new .asf.yaml feature, that allows you to add that information in this repo and it will be relayed to ATR:
# See https://github.com/apache/infrastructure-asfyaml?tab=readme-ov-file
project:
metadata:
committee: parquet
key: parquet-java
# Other metadata you can prefill on release-test.apache.org
# ...
# Security metadata
security_contact: security@apache.org
threat_model_link: https://github.com/apache/parquet-java/security/policy
threat_model_src_link: https://raw.githubusercontent.com/apache/parquet-java/refs/heads/master/SECURITY.md| Please report suspected vulnerabilities privately to the Parquet Project Management | ||
| Committee at private@parquet.apache.org. Do **not** file a public GitHub issue or pull | ||
| request for a suspected vulnerability, as that would disclose it before a fix is available. |
There was a problem hiding this comment.
The security contact should start with security@. There are two kinds of PMCs at the ASF:
- PMCs with their own project-specific security mailing list (e.g. Airflow, Tomcat, etc.), where a subset of committers handles vulnerabilities directly. These teams often have more bandwidth than the ASF Security Team, so we generally don't touch reports for them, unless a report is misdirected to
security@apache.org, in which case we apply a "false positive filter" to avoid forwarding spam. - PMCs that rely on the main ASF Security Team. For these, we expect all security reports to go through
security@apache.org, and we only forward reports that are VALID according to the project's threat model, or that reveal a gap in it.
If you'd like your own list, you can request a project-specific security mailing list. Either way, I'd prefer private@parquet.apache.org not be used as the security contact.
There was a problem hiding this comment.
updated to point to security@apache.org thanks.
Co-authored-by: emkornfield <emkornfield@gmail.com>
|
Thanks everyone for the reviews. I'm going to submit this now, and we can refine later. |
Rationale for this change
Document security posture of the parquet library.
What changes are included in this PR?
Define basic security information for the parquet library.
Are these changes tested?
Doc only changes.
Are there any user-facing changes?
No.