@@ -21,6 +21,17 @@ This file is read by automated agents (security scanners, code analyzers,
2121AI assistants) operating on this repository. It points them at the
2222human-authored references they should consult before producing output.
2323
24+ ## Prerequisites — Must Read Before Proceeding
25+
26+ Agents MUST read the following files before conducting any analysis,
27+ security assessment, or code review of this repository:
28+
29+ 1 . ** [ SECURITY.md] ( SECURITY.md ) ** — defines the threat model, in-scope
30+ vulnerabilities, and known limitations. Findings produced without
31+ reading this file will be inaccurate or out of scope.
32+ 2 . ** This file in its entirety** — repository structure, sensitive areas,
33+ and contribution rules.
34+
2435## Project Overview
2536
2637Apache PDFBox is a Java library for working with PDF documents. It is used
@@ -92,8 +103,7 @@ Avoid large refactorings in these areas unless explicitly requested:
92103Security model and scope: [ SECURITY.md] ( SECURITY.md ) ,
93104also published at < https://pdfbox.apache.org/security.html > .
94105
95- Agents that scan this repository ** must** read the security model before
96- reporting any finding. In particular, note:
106+ Key points from the security model:
97107
98108- Processing malformed PDFs is ** partially in scope** : crashes, unchecked
99109 exceptions (` NullPointerException ` , ` StackOverflowError ` ), or general
@@ -105,8 +115,7 @@ reporting any finding. In particular, note:
105115- Issues that require the attacker to control the Java application's classpath
106116 or configuration are ** out of scope** .
107117
108- For a list of known CVEs, see [ SECURITY.md] ( SECURITY.md ) or
109- < https://pdfbox.apache.org/security.html > .
118+ For a list of known CVEs, see < https://pdfbox.apache.org/security.html > .
110119
111120To report a new vulnerability, send a plain-text email to < security@apache.org > .
112121Do ** not** open a public JIRA issue for undisclosed vulnerabilities.
0 commit comments