Skip to content

Commit 3961810

Browse files
committed
Add AGENTS.md + SECURITY.md wiring for security-model discoverability
apache/cloudstack carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in #13293) but no AGENTS.md/SECURITY.md chain leading to it. Add SECURITY.md (ASF disclosure pointer + a link to the model) and AGENTS.md (Security section pointing at SECURITY.md) so an automated scanner can follow AGENTS.md -> SECURITY.md -> draft-THREAT-MODEL.md. The threat-model content is untouched. Generated-by: Claude Code (Claude Opus 4.8)
1 parent 4beab94 commit 3961810

2 files changed

Lines changed: 65 additions & 0 deletions

File tree

AGENTS.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
<!--
2+
Licensed to the Apache Software Foundation (ASF) under one
3+
or more contributor license agreements. See the NOTICE file
4+
distributed with this work for additional information
5+
regarding copyright ownership. The ASF licenses this file
6+
to you under the Apache License, Version 2.0 (the
7+
"License"); you may not use this file except in compliance
8+
with the License. You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing,
13+
software distributed under the License is distributed on an
14+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15+
KIND, either express or implied. See the License for the
16+
specific language governing permissions and limitations
17+
under the License.
18+
-->
19+
20+
# Agent Guide for cloudstack
21+
22+
This file is read by automated agents (security scanners, code
23+
analyzers, AI assistants) operating on this repository.
24+
25+
## Security
26+
27+
Security model: [SECURITY.md](./SECURITY.md)
28+
29+
Agents that scan this repository should consult `SECURITY.md` and the
30+
threat model it links before reporting issues.
31+
32+
The project-wide security threat model lives in draft-THREAT-MODEL.md (merged via #13293); SECURITY.md points to it.

SECURITY.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
<!--
2+
Licensed to the Apache Software Foundation (ASF) under one
3+
or more contributor license agreements. See the NOTICE file
4+
distributed with this work for additional information
5+
regarding copyright ownership. The ASF licenses this file
6+
to you under the Apache License, Version 2.0 (the
7+
"License"); you may not use this file except in compliance
8+
with the License. You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing,
13+
software distributed under the License is distributed on an
14+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15+
KIND, either express or implied. See the License for the
16+
specific language governing permissions and limitations
17+
under the License.
18+
-->
19+
20+
# Security Policy
21+
22+
## Reporting a Vulnerability
23+
24+
`apache/cloudstack` follows the [Apache Software Foundation security process](https://www.apache.org/security/). Please report suspected
25+
vulnerabilities privately to `security@apache.org`; do not open public
26+
GitHub issues or pull requests for security reports.
27+
28+
## Threat Model
29+
30+
What the project treats as in scope and out of scope, the security
31+
properties it provides and disclaims, the adversary model, and how
32+
findings are triaged are documented in the project-wide threat model:
33+
[draft-THREAT-MODEL.md](draft-THREAT-MODEL.md).

0 commit comments

Comments
 (0)