Add security-model discoverability pointer to the project-wide CloudStack threat model#212
Conversation
|
✅ Build complete for PR #212. 📦 Binary artifacts are available in the workflow run (expires on July 23, 2026).
|
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
42dec55 to
61e10fa
Compare
|
There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work. |
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
|
Thanks @yadvr — routing to @DaanHoogland and @vishesh92 makes sense. These are just discoverability pointers to the project-wide model in #13293, so they'll naturally follow once that lands. Standing by for the leads' review — happy to reshape the pointers to match whatever #13293 settles on. No rush from our side. |
|
Quick note on CI: this is a docs-only change (AGENTS.md + SECURITY.md), and the red check is the |
There was a problem hiding this comment.
Pull request overview
This PR adds standard security-model discoverability files to point this repository’s security posture to the canonical, project-wide Apache CloudStack threat model (rather than maintaining a repo-local copy).
Changes:
- Add
SECURITY.mddescribing vulnerability reporting and linking to the project-wide threat model. - Add
AGENTS.mdto guide automated agents/scanners toSECURITY.md(and, transitively, the project threat model).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| SECURITY.md | Introduces a security policy and a pointer to the project-wide threat model. |
| AGENTS.md | Adds an agent-facing entry point that directs scanners/assistants to SECURITY.md. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| **project-wide CloudStack threat model** rather than a per-repository copy. What the | ||
| project treats as in scope and out of scope, the security properties it provides and | ||
| disclaims, the adversary model, and how findings are triaged are documented in that | ||
| model: <https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md>. |
There was a problem hiding this comment.
Good catch. The target merged into apache/cloudstack under the name draft-THREAT-MODEL.md, so this THREAT_MODEL.md pointer 404s. Rather than point at the draft name, I've opened apache/cloudstack#13599 to rename the file to the canonical THREAT_MODEL.md — that's the name scanners and satellite SECURITY.md pointers follow, and it makes this link resolve once it lands. No change needed on this repo's side.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| model: <https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md>. | ||
|
|
||
| (That link resolves once the project-wide model lands on `apache/cloudstack`'s | ||
| `main` branch — see apache/cloudstack#13293. A thin `cloudstack-cloudmonkey`-specific | ||
| addendum can be added here later if this component needs one.) |
|
Merging for now. We can revisit later if any changes are required here. |
Summary
Apache CloudStack's security model is project-wide, not per-repository. This PR replaces the earlier standalone
draft-THREAT-MODEL.mdin this repo with the standard discoverability chain so automated scanners find the one canonical model:AGENTS.md→SECURITY.md→ the project-wide model athttps://github.com/apache/cloudstack/blob/main/THREAT_MODEL.mdThe model lives in
apache/cloudstack(see apache/cloudstack#13293); this repo inherits it via the pointer above rather than duplicating it — per the PMC's direction on #13293 to converge on the parent model first. The link resolves once that model lands onmain. A thin repo-specific addendum can be added here later if this component needs one.AGENTS.mdcarries a one-line SPDX header (it is read by agents on every session);SECURITY.mdcarries the full ASF header.