Add SECURITY.md#3643
Open
emkornfield wants to merge 2 commits into
Open
Conversation
Fokko
approved these changes
Jul 2, 2026
ppkarwasz
reviewed
Jul 10, 2026
ppkarwasz
left a comment
Member
There was a problem hiding this comment.
I am looking forward to seeing this merged, great job! 💯
When this is merged, could you make a PR to apache/security-site to give us the location of your threat model (just modify project-coordinates.json).
Alternatively, there is a new .asf.yaml feature, that allows you to add that information in this repo and it will be relayed to ATR:
# See https://github.com/apache/infrastructure-asfyaml?tab=readme-ov-file
project:
metadata:
committee: parquet
key: parquet-java
# Other metadata you can prefill on release-test.apache.org
# ...
# Security metadata
security_contact: security@apache.org
threat_model_link: https://github.com/apache/parquet-java/security/policy
threat_model_src_link: https://raw.githubusercontent.com/apache/parquet-java/refs/heads/master/SECURITY.md
Comment on lines
+24
to
+26
| Please report suspected vulnerabilities privately to the Parquet Project Management | ||
| Committee at private@parquet.apache.org. Do **not** file a public GitHub issue or pull | ||
| request for a suspected vulnerability, as that would disclose it before a fix is available. |
Member
There was a problem hiding this comment.
The security contact should start with security@. There are two kinds of PMCs at the ASF:
- PMCs with their own project-specific security mailing list (e.g. Airflow, Tomcat, etc.), where a subset of committers handles vulnerabilities directly. These teams often have more bandwidth than the ASF Security Team, so we generally don't touch reports for them, unless a report is misdirected to
security@apache.org, in which case we apply a "false positive filter" to avoid forwarding spam. - PMCs that rely on the main ASF Security Team. For these, we expect all security reports to go through
security@apache.org, and we only forward reports that are VALID according to the project's threat model, or that reveal a gap in it.
If you'd like your own list, you can request a project-specific security mailing list. Either way, I'd prefer private@parquet.apache.org not be used as the security contact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale for this change
Document security posture of the parquet library.
What changes are included in this PR?
Define basic security information for the parquet library.
Are these changes tested?
Doc only changes.
Are there any user-facing changes?
No.