From 9925ff585bd2c8a0578cb13c30afe21322829af4 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Thu, 24 Aug 2023 13:13:54 +0200 Subject: [PATCH 1/2] Add back link to the ASF blog about severity to the policy The security policy should be the place where researchers are looking on how to assign severity to their reports. We had the link to the ASF blog post decribing how we assess the severity but it has been moved out in #32496 somewhat accidentally to the information about the security team. It can stay there (as a reference for the security team members/internal, but it would be great to keep it in our Policy targeted for the researchers. --- .github/SECURITY.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 4035fa8b6ee69..b0cf8a409e10c 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -54,11 +54,16 @@ movie, HTML, or PDF attachment when you could as easily describe it with plain t Before reporting vulnerabilities, please make sure to read and understand the [security model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html) of Airflow, because some of the potential security vulnerabilities that are valid for projects that are publicly accessible -from the Internet, are not valid for Airflow. Airflow is not designed to be used by untrusted users, and some -trusted users are trusted enough to do a variety of operations that could be considered as vulnerabilities -in other products/circumstances. Therefore, some potential security vulnerabilities do not -apply to Airflow, or have a different severity than some generic scoring systems (for example `CVSS`) -calculation suggests. +from the Internet, are not valid for Airflow. + + +Airflow is not designed to be used by untrusted users, and some trusted users are trusted enough to do a +variety of operations that could be considered as vulnerabilities in other products/circumstances. +Therefore, some potential security vulnerabilities do not apply to Airflow, or have a different severity +than some generic scoring systems (for example `CVSS`) calculation suggests. Severity of the issue is +determined based on the criteria described in the +[Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software +Foundation Security team. The [Airflow Security Team](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#security-team) will get back to you after assessing the report. From a4880e5b05f5ddbd5c9c1d5ff519a0ab74282ee9 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Thu, 24 Aug 2023 14:40:08 +0200 Subject: [PATCH 2/2] Update .github/SECURITY.md Co-authored-by: Pankaj Koti --- .github/SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index b0cf8a409e10c..64bd990cbc88f 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -62,7 +62,7 @@ variety of operations that could be considered as vulnerabilities in other produ Therefore, some potential security vulnerabilities do not apply to Airflow, or have a different severity than some generic scoring systems (for example `CVSS`) calculation suggests. Severity of the issue is determined based on the criteria described in the -[Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software +[Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software Foundation Security team. The [Airflow Security Team](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#security-team) will get back to you after assessing the report.