Please report suspected security vulnerabilities in Apache StreamPipes
privately to the StreamPipes security list at
security@streampipes.apache.org, following the Apache Software Foundation security process.
Do not open public GitHub issues or pull requests for security reports — a
private report lets the issue be investigated and fixed before disclosure.
A threat model for Apache StreamPipes is maintained in
THREAT_MODEL.md. It describes the trust boundaries (the REST
front door, the external-data ingestion boundary at the adapters, the
extension runtime), the adversaries in and out of scope, the security
properties StreamPipes upholds given its deployment assumptions versus those
left to the operator (transport security, network isolation, extension
vetting, source trust), and the recurring non-findings. Triagers of scanner,
fuzzer, or AI-generated findings should route each through THREAT_MODEL.md
§10.
This threat model is v0. See THREAT_MODEL.md for its current status and
maintenance notes.