Skip to content

Add SECURITY.md#3643

Open
emkornfield wants to merge 2 commits into
apache:masterfrom
emkornfield:security.md
Open

Add SECURITY.md#3643
emkornfield wants to merge 2 commits into
apache:masterfrom
emkornfield:security.md

Conversation

@emkornfield

Copy link
Copy Markdown
Contributor

Rationale for this change

Document security posture of the parquet library.

What changes are included in this PR?

Define basic security information for the parquet library.

Are these changes tested?

Doc only changes.

Are there any user-facing changes?

No.

@ppkarwasz ppkarwasz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am looking forward to seeing this merged, great job! 💯

When this is merged, could you make a PR to apache/security-site to give us the location of your threat model (just modify project-coordinates.json).

Alternatively, there is a new .asf.yaml feature, that allows you to add that information in this repo and it will be relayed to ATR:

# See https://github.com/apache/infrastructure-asfyaml?tab=readme-ov-file
project:
  metadata:
    committee: parquet
    key: parquet-java
    # Other metadata you can prefill on release-test.apache.org
    # ...
    # Security metadata
    security_contact: security@apache.org
    threat_model_link: https://github.com/apache/parquet-java/security/policy
    threat_model_src_link: https://raw.githubusercontent.com/apache/parquet-java/refs/heads/master/SECURITY.md

Comment thread SECURITY.md
Comment on lines +24 to +26
Please report suspected vulnerabilities privately to the Parquet Project Management
Committee at private@parquet.apache.org. Do **not** file a public GitHub issue or pull
request for a suspected vulnerability, as that would disclose it before a fix is available.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security contact should start with security@. There are two kinds of PMCs at the ASF:

  • PMCs with their own project-specific security mailing list (e.g. Airflow, Tomcat, etc.), where a subset of committers handles vulnerabilities directly. These teams often have more bandwidth than the ASF Security Team, so we generally don't touch reports for them, unless a report is misdirected to security@apache.org, in which case we apply a "false positive filter" to avoid forwarding spam.
  • PMCs that rely on the main ASF Security Team. For these, we expect all security reports to go through security@apache.org, and we only forward reports that are VALID according to the project's threat model, or that reveal a gap in it.

If you'd like your own list, you can request a project-specific security mailing list. Either way, I'd prefer private@parquet.apache.org not be used as the security contact.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants