potiuk opened a new pull request, #3449: URL: https://github.com/apache/tinkerpop/pull/3449
Adds a draft `THREAT_MODEL.md` for Apache TinkerPop, a `SECURITY.md` pointing to it, and a `## Security` section in `AGENTS.md`, so automated security scanners (and researchers) can mechanically discover the project's threat model via the `AGENTS.md` -> `SECURITY.md` -> `THREAT_MODEL.md` chain. The threat model is a **v0 draft authored by the ASF Security team** for the PMC to own and refine. It follows a standard rubric (scope, trust boundaries, adversary model, security properties provided / not provided, downstream responsibilities, known non-findings, triage dispositions). Every claim carries a provenance tag — `*(documented)*` / `*(inferred)*` / `*(maintainer)*` — and **every `*(inferred)*` claim routes to a numbered question in §14** for the PMC to confirm, correct, or strike. The highest-value items to confirm: the default authentication/TLS posture, the script-execution disposition (string scripts run through the Groovy engine), and the Gryo/serialization handling. `THREAT_MODEL.md` and `SECURITY.md` carry the ASF license header; `AGENTS.md` is RAT-excluded. No code or behaviour changes — documentation only. This is a proposal for the PMC to review — please adjust, correct, or reject as needed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
