Skip to content

Commit

Permalink
Add back link to the ASF blog about severity to the policy (apache#33691
Browse files Browse the repository at this point in the history 
)

* Add back link to the ASF blog about severity to the policy

The security policy should be the place where researchers are
looking on how to assign severity to their reports. We had the
link to the ASF blog post decribing how we assess the severity
but it has been moved out in apache#32496 somewhat accidentally to the
information about the security team. It can stay there (as a
reference for the security team members/internal, but it would
be great to keep it in our Policy targeted for the researchers.

Co-authored-by: Pankaj Koti <[email protected]>
  • Loading branch information
@potiuk @pankajkoti
potiuk and pankajkoti authored Aug 24, 2023
1 parent faa50cb commit 4768204
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions .github/SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,16 @@ movie, HTML, or PDF attachment when you could as easily describe it with plain t
Before reporting vulnerabilities, please make sure to read and understand the
[security model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html) of Airflow, because
some of the potential security vulnerabilities that are valid for projects that are publicly accessible
from the Internet, are not valid for Airflow. Airflow is not designed to be used by untrusted users, and some
trusted users are trusted enough to do a variety of operations that could be considered as vulnerabilities
in other products/circumstances. Therefore, some potential security vulnerabilities do not
apply to Airflow, or have a different severity than some generic scoring systems (for example `CVSS`)
calculation suggests.
from the Internet, are not valid for Airflow.


Airflow is not designed to be used by untrusted users, and some trusted users are trusted enough to do a
variety of operations that could be considered as vulnerabilities in other products/circumstances.
Therefore, some potential security vulnerabilities do not apply to Airflow, or have a different severity
than some generic scoring systems (for example `CVSS`) calculation suggests. Severity of the issue is
determined based on the criteria described in the
[Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software
Foundation Security team.

The [Airflow Security Team](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#security-team) will get back to you after assessing the report.

Expand Down

0 comments on commit 4768204

Please sign in to comment.