Skip to content

Commit ad9697f

Browse files
authored
Merge pull request #352 from potiuk/asf-security/threat-model-2026-05-31
Add umbrella threat model + SECURITY.md + AGENTS.md for security-model discoverability
2 parents 3c80c7d + 14220bf commit ad9697f

3 files changed

Lines changed: 348 additions & 0 deletions

File tree

AGENTS.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
<!--
2+
SPDX-License-Identifier: Apache-2.0
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
https://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
-->
16+
17+
# Agent Guide for Apache Directory Server (ApacheDS)
18+
19+
This file is read by automated agents (security scanners, code analyzers,
20+
AI assistants) operating on this repository.
21+
22+
## Security
23+
24+
Security model: [SECURITY.md](./SECURITY.md) -> [THREAT_MODEL.md](./THREAT_MODEL.md)
25+
26+
This repository hosts the **Apache Directory umbrella threat model**, which
27+
covers the shared identity-stack trust model across the project's components —
28+
LDAP bind/ACI (ApacheDS), the LDAP API codec, Kerberos KDC (Kerby), Fortress
29+
RBAC, SCIM (SCIMple), and MVCC storage (Mavibot) — with per-domain addenda.
30+
Agents should consult `SECURITY.md` and the linked `THREAT_MODEL.md` before
31+
reporting issues.

SECURITY.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
<!--
2+
SPDX-License-Identifier: Apache-2.0
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
https://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
-->
16+
17+
# Security Policy
18+
19+
## Reporting a Vulnerability
20+
21+
Apache Directory follows the [Apache Software Foundation security process](https://www.apache.org/security/).
22+
Please report suspected vulnerabilities **privately** to `security@apache.org` (the Directory PMC is
23+
reachable at `private@directory.apache.org`). Do **not** open public GitHub issues or pull requests for
24+
security reports.
25+
26+
## Threat Model
27+
28+
What the Apache Directory components treat as in/out of scope, the security properties they provide and
29+
disclaim (authentication, LDAP ACI / Fortress RBAC authorization, Kerberos ticket integrity, protocol-parser
30+
robustness, storage integrity), the adversary model, and how findings are triaged are documented in the
31+
umbrella [THREAT_MODEL.md](./THREAT_MODEL.md), which carries per-domain addenda for LDAP, Kerberos, RBAC,
32+
SCIM, and MVCC storage.

0 commit comments

Comments
 (0)