diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..5bd145b --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,13 @@ + + +# Agent Guide for cloudstack-go + +This file is read by automated agents (security scanners, code analyzers, +AI assistants) operating on this repository. + +## Security + +Security model: [SECURITY.md](./SECURITY.md) + +Agents that scan this repository should consult `SECURITY.md` and the +project-wide threat model it links before reporting issues. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..9ba3df9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ + + +# Security Policy + +## Reporting a Vulnerability + +`apache/cloudstack-go` follows the [Apache Software Foundation security process](https://www.apache.org/security/). +Please report suspected vulnerabilities privately to `security@apache.org`; do not +open public GitHub issues or pull requests for security reports. + +## Threat Model + +`apache/cloudstack-go` is part of the Apache CloudStack project and is covered by the +**project-wide CloudStack threat model** rather than a per-repository copy. What the +project treats as in scope and out of scope, the security properties it provides and +disclaims, the adversary model, and how findings are triaged are documented in that +model: . + +(That link resolves once the project-wide model lands on `apache/cloudstack`'s +`main` branch — see apache/cloudstack#13293. A thin `cloudstack-cloudstack-go`-specific +addendum can be added here later if this component needs one.)