alamb opened a new issue, #21811: URL: https://github.com/apache/datafusion/issues/21811
### Is your feature request related to a problem or challenge? Currently, DataFusion does not have an explicit security policy documented in the repository. This can lead to: 1. **Ambiguity for Reporters:** Users may not know whether to report an issue (such as a crash on malformed input) as a regular bug or a security vulnerability. 2. **Increased Noise:** Without clear guidelines, low-quality bug reports can sometimes be filed as security issues, creating unnecessary work for maintainers and the Apache security team. 3. **Undefined Stance on Rust Soundness:** As a Rust project, it is important to clarify how we handle soundness issues and Undefined Behavior (UB) in relation to security vulnerabilities. This proposal follows the precedent set in `arrow-rs` (see [arrow-rs PR #9730](https://github.com/apache/arrow-rs/pull/9730)) to provide clearer direction and reduce noise. ### Describe the solution you'd like I propose adding a `SECURITY.md` file to the root of the DataFusion repository, modeled after the one recently added to `arrow-rs`. The policy should: * Reference the [Apache Arrow Security Model](https://arrow.apache.org/docs/dev/format/Security.html). * Define the distinction between a "bug" (e.g., panics, crashes, or infinite loops from malformed input) and an "exploitable vulnerability" (e.g., RCE or Information Disclosure). * Clarify the project's stance on Rust soundness issues: treating them as bugs unless they meet the exploitability bar. * Provide clear instructions on how to report vulnerabilities privately via [[email protected]](mailto:[email protected]) as per the ASF process. * Integrate links to this policy in the README and crate documentation where appropriate. ### Describe alternatives you've considered We could continue without an explicit policy and rely on general ASF guidelines, but a project-specific policy provides much-needed clarity for the specific context of DataFusion (especially regarding Rust-specific safety). ### Additional context * [arrow-rs PR #9730](https://github.com/apache/arrow-rs/pull/9730) * [arrow-rs SECURITY.md](https://github.com/apache/arrow-rs/blob/main/SECURITY.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
