Skip to content

chore: Add SECURITY.md for outlining security policy #4048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

chore: Add SECURITY.md for outlining security policy #4048

wants to merge 10 commits into from
+272 −0

Conversation

@Yicong-Huang
Copy link
Contributor

@Yicong-Huang Yicong-Huang commented Nov 11, 2025

What changes were proposed in this PR?

Adding SECURITY.md. This document outlines Apache Texera's security model, deployment considerations, and procedures for reporting security vulnerabilities.

Any related issues, documentation, discussions?

Private discussions.
closes #3807.

How was this PR tested?

N/A

Was this PR authored or co-authored using generative AI tooling?

No

@Yicong-Huang
chore: Add SECURITY.md for outlining security policy
4e61c22 
This document outlines Apache Texera's security model, deployment considerations, and procedures for reporting security vulnerabilities.

Signed-off-by: Yicong Huang <[email protected]>
@github-actions github-actions bot added the docs Changes related to documentations label Nov 11, 2025
@Yicong-Huang Yicong-Huang self-assigned this Nov 11, 2025
@Yicong-Huang
Copy link
Contributor Author

Yicong-Huang commented Nov 11, 2025

@chenlica @bobbai00 could you add the link to "how to deploy texera" part?

pjfanning
pjfanning reviewed Nov 11, 2025
View reviewed changes
pjfanning
pjfanning reviewed Nov 11, 2025
View reviewed changes
@chenlica
Copy link
Contributor

chenlica commented Nov 12, 2025

@Yicong-Huang Please check this wiki page (https://github.com/apache/texera/wiki/How-to-run-Texera-on-local-Kubernetes) and see if it can serve the purpose for this security document. It's for installing Texera on a local Kubernetes, not a cluster.

@Yicong-Huang
Copy link
Contributor Author

Yicong-Huang commented Nov 12, 2025

@Yicong-Huang Please check this wiki page (https://github.com/apache/texera/wiki/How-to-run-Texera-on-local-Kubernetes) and see if it can serve the purpose for this security document. It's for installing Texera on a local Kubernetes, not a cluster.

Seems not enough. Per PJ's previous comment, it might be better to include recommendation on certain file permissions.

One thing that might be useful to add is something about how to deploy
Texera. You might want to recommend that the OS user used to deploy
the application has certain file permissions etc. (to restrict access
to files on the server, ones that we don't want malicious users to try
to access).

@chenlica
Copy link
Contributor

chenlica commented Nov 12, 2025

@aicam Can you check these instructions and improve the wiki page?

@aicam
Copy link
Contributor

aicam commented Nov 13, 2025

@aicam Can you check these instructions and improve the wiki page?

I just updated the instructions to include a recommendation on preventing using root user (admin user) for containers.

@Yicong-Huang
Copy link
Contributor Author

Yicong-Huang commented Nov 13, 2025

Thanks @aicam. I will mention this wiki in the security policy, as a reference.
Could you change the language inside the wiki so that it says what to do (use non-root containers), but less on why (about what attacker can do, etc.)

@Yicong-Huang
Update SECURITY.md with deployment wiki link
391f2c1 
Added a reference to the wiki for local Kubernetes deployment.

Signed-off-by: Yicong Huang <[email protected]>
@Yicong-Huang
Update SECURITY.md for deployment information
15026a0 
Removed outdated deployment reference and updated section headers for clarity.

Signed-off-by: Yicong Huang <[email protected]>
@Yicong-Huang
fix index
f5cf94f 
Signed-off-by: Yicong Huang <[email protected]>
@Yicong-Huang
Copy link
Contributor Author

Yicong-Huang commented Nov 13, 2025

@pjfanning Thanks for the comments. I have addressed them all, and added information and link to our deployment guide. Please kindly check again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenlica chenlica Awaiting requested review from chenlica

@pjfanning pjfanning Awaiting requested review from pjfanning

At least 1 approving review is required to merge this pull request.

Assignees

@Yicong-Huang Yicong-Huang

Labels

docs Changes related to documentations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

write a Security Model document

4 participants

@Yicong-Huang @chenlica @aicam @pjfanning