|
| 1 | +<!-- |
| 2 | +SPDX-License-Identifier: Apache-2.0 |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + https://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +--> |
| 16 | + |
| 17 | +# Security Policy |
| 18 | + |
| 19 | +## Reporting a Vulnerability |
| 20 | + |
| 21 | +Apache Directory follows the [Apache Software Foundation security process](https://www.apache.org/security/). |
| 22 | +Please report suspected vulnerabilities **privately** to `security@apache.org` (the Directory PMC is |
| 23 | +reachable at `private@directory.apache.org`). Do **not** open public GitHub issues or pull requests for |
| 24 | +security reports. |
| 25 | + |
| 26 | +## Threat Model |
| 27 | + |
| 28 | +What the Apache Directory components treat as in/out of scope, the security properties they provide and |
| 29 | +disclaim (authentication, LDAP ACI / Fortress RBAC authorization, Kerberos ticket integrity, protocol-parser |
| 30 | +robustness, storage integrity), the adversary model, and how findings are triaged are documented in the |
| 31 | +umbrella [THREAT_MODEL.md](./THREAT_MODEL.md), which carries per-domain addenda for LDAP, Kerberos, RBAC, |
| 32 | +SCIM, and MVCC storage. |
0 commit comments