Skip to content
30 changes: 30 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,33 @@ Applies to the whole repository unless a deeper `AGENTS.md` overrides it.

## UI
- UI-specific rules live in `ui/AGENTS.md` and deeper UI-level files.

## Security

You are helping a security researcher find and report vulnerabilities in
Apache StreamPipes. Before drafting any report or reaching any conclusion,
complete these steps.

### Step 1 — Read the threat model
Read **[THREAT_MODEL.md](THREAT_MODEL.md)**: the trust boundaries (the REST
front door, the external-data ingestion boundary at the adapters, the
extension runtime), the adversaries in and out of scope, and what StreamPipes
upholds versus what it leaves to the operator.

### Step 2 — Read the security policy
Read **[SECURITY.md](SECURITY.md)** for how to report (`security@streampipes.apache.org`).

### Key scoping facts (see THREAT_MODEL.md)
- The **streampipes-rest** HTTP/REST layer is the primary control boundary; the external-data ingestion boundary is at the adapters. The broker, datastore, and extension-runtime services are assumed to run inside an operator-controlled perimeter.
- **Installed extensions (custom adapters / processors / sinks) are
code-execution by design**, not a sandbox.
- An **adapter ingesting data from an external source** is the intended
function; source trust and the handling guarantee for hostile ingested data
are spelled out in THREAT_MODEL.md.
- Transport security (TLS), network isolation, and extension vetting are
**operator** responsibilities, not engine invariants.

### Step 3 — Route the finding
Route the finding to exactly one disposition in **THREAT_MODEL.md §10**
(VALID, or one of the `OUT-OF-MODEL` / `BY-DESIGN` dispositions) and cite the
section that justifies the call. This model is **v0**.
40 changes: 40 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to you under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

# Security Policy

## Reporting a Vulnerability

Please report suspected security vulnerabilities in Apache StreamPipes
**privately** to the StreamPipes security list at
`security@streampipes.apache.org`, following the [Apache Software Foundation security process](https://www.apache.org/security/).
Do **not** open public GitHub issues or pull requests for security reports — a
private report lets the issue be investigated and fixed before disclosure.

## Threat Model
A threat model for Apache StreamPipes is maintained in
[THREAT_MODEL.md](THREAT_MODEL.md). It describes the trust boundaries (the REST
front door, the external-data ingestion boundary at the adapters, the
extension runtime), the adversaries in and out of scope, the security
properties StreamPipes upholds given its deployment assumptions versus those
left to the operator (transport security, network isolation, extension
vetting, source trust), and the recurring non-findings. Triagers of scanner,
fuzzer, or AI-generated findings should route each through `THREAT_MODEL.md`
§10.

This threat model is **v0**. See `THREAT_MODEL.md` for its current status and
maintenance notes.
Loading
Loading