Skip to content

Security: apache/streampipes

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report suspected security vulnerabilities in Apache StreamPipes privately to the StreamPipes security list at security@streampipes.apache.org, following the Apache Software Foundation security process. Do not open public GitHub issues or pull requests for security reports — a private report lets the issue be investigated and fixed before disclosure.

Threat Model

A threat model for Apache StreamPipes is maintained in THREAT_MODEL.md. It describes the trust boundaries (the REST front door, the external-data ingestion boundary at the adapters, the extension runtime), the adversaries in and out of scope, the security properties StreamPipes upholds given its deployment assumptions versus those left to the operator (transport security, network isolation, extension vetting, source trust), and the recurring non-findings. Triagers of scanner, fuzzer, or AI-generated findings should route each through THREAT_MODEL.md §10.

This threat model is v0. See THREAT_MODEL.md for its current status and maintenance notes.

There aren't any published security advisories