Add draft project security threat-model document#149
Conversation
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
potiuk
force-pushed
the
asf-security/draft-threat-model-2026-05-30
branch
from
0f8d4ea to
b6579f6
Compare
|
There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work. |
|
Thanks @yadvr, I think we should start with this one and work from there. I’ll look at the fields we need today cc @vishesh92 @potiuk |
| **Q1.** Out-of-scope: where the caller stores `apiKey` / `secretKey` | ||
| on disk. Confirm. |
| **Q2.** Out-of-scope: revalidating management-server response | ||
| correctness in the SDK. Confirm. |
There was a problem hiding this comment.
this is a cloudstack issue only to the extend of the SDK used is delivered by the Apache CloudStack project, and assuming the reponse was given by a cloudstack installation of the targeted version. Any misdirection, mismatched version, or spoofed server is out of scope.
| **Q3.** `HTTPGETOnly` default and signature-in-URL leakage — is `false` | ||
| the default and is "do not log URLs when `HTTPGETOnly = true`" a | ||
| documented caller responsibility? *(maps to §5a, §6, §10, §11a)* |
There was a problem hiding this comment.
confirmed (I.E. +1 for my part)
Given that this “inherits” from cloudstack, i think (on second thought) we should start there. |
3 participants
Summary
This PR adds an initial draft of a project-level security
threat-model document (
draft-THREAT-MODEL.md) so that automatedsecurity scanners running against this repository have a
maintainer-facing reference for which classes of findings are
in-scope vs. out-of-scope for the project.
The document follows the rubric format used by several other ASF
projects piloting improved security-model discoverability for
agentic scanners. Every claim carries a provenance tag:
the project website), cited inline.
knowledge; the PMC has not confirmed.
to this draft. (Zero in this initial draft.)
Draft stats:
§14 is the highest-leverage section: answering each question
either promotes one (inferred) tag to (maintainer) or corrects
the underlying claim.
Scope note
This is a delta document; the canonical CloudStack threat model lives at apache/cloudstack:draft-THREAT-MODEL.md and is inherited as the baseline. The delta covers Go-SDK-specific concerns (signing implementation; credential file handling).
Why "draft-" prefix?
The file is named
draft-THREAT-MODEL.mdrather thanSECURITY-THREAT-MODEL.mdbecause this is a proposal for thePMC to review — please correct, reject, or discuss as needed.
Once the PMC ratifies (or substantially edits) the content, the
file can be renamed in a follow-up PR and a discoverability
scaffold (
AGENTS.md→SECURITY.md→ the model) added soscanners can mechanically follow the chain.
What this is, and what it is not
This is not a security audit. It is a working triage document
— the reference a triager holds against an inbound report to
decide whether the report is about a CloudStack-Go vulnerability or
about caller misuse / operator misconfiguration / an out-of-scope
concern.
The draft was generated by an automated agentic security scan
being piloted by the ASF Security team; the discoverability work
is independent of any specific scan run.
How to review
replaces the inferred claim with the correct one.
dispositions) — those govern how a vulnerability report would
be triaged.
Reply edits / corrections inline on the PR, or to the original
security@apache.orgthread, whichever fits the PMC's workflow.🤖 Generated with Claude Code