docs(security): update vulnerability reporting policy and admin trust boundary#38653
Open
sha174n wants to merge 1 commit intoapache:masterfrom
Open
docs(security): update vulnerability reporting policy and admin trust boundary#38653sha174n wants to merge 1 commit intoapache:masterfrom
sha174n wants to merge 1 commit intoapache:masterfrom
Conversation
… boundary - Expand SECURITY.md with submission standards, AI disclosure requirement, human-verified PoC policy, out-of-scope definitions, CVE aggregation rules, and outcome handling for borderline reports - Add threat model section to security.mdx clarifying the Admin role as a trusted boundary and its implications for CVE eligibility Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Code Review Agent Run #f9c42fActionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
Contributor
Sequence DiagramThis PR clarifies how Superset security reports are submitted and triaged. The flow emphasizes required report quality, excludes Admin-only vectors from CVE scope, and aggregates related findings by shared root cause before final disposition. sequenceDiagram
participant Reporter
participant SecurityTeam
participant PublicIssueTracker
Reporter->>SecurityTeam: Submit plain text report with AI disclosure and verified PoC
SecurityTeam->>SecurityTeam: Validate submission standards
SecurityTeam->>SecurityTeam: Evaluate scope against security policy boundary
alt Requires Admin privileges or otherwise out of scope
SecurityTeam->>PublicIssueTracker: Convert to public hardening issue when useful
SecurityTeam-->>Reporter: Close as not CVE eligible
else In scope vulnerability
SecurityTeam->>SecurityTeam: Aggregate related vectors by shared root cause
SecurityTeam-->>Reporter: Proceed with CVE triage outcome
end
Generated by CodeAnt AI |
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
SUMMARY
Expands and clarifies Apache Superset's security reporting documentation across two files:
.github/SECURITY.mddocs/admin_docs/security/security.mdxBEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION
CodeAnt-AI Description
Clarify security reporting rules, CVE aggregation, and Admin threat model
What Changed
Impact
✅ Clearer vulnerability submission requirements✅ Fewer invalid CVE reports requiring triage✅ Clearer guidance on Admin-scoped findings💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.