SECURITY.md - doris - Git at Google

 # Security Policy

 Apache Doris security findings should be reported to
 `security@apache.org`. The Apache Security Team will route reports to
 the Doris project maintainers.

 For security scope, trust boundaries, attacker roles, explicit
 non-goals, and vulnerability triage classification, use
 `threat-model.md` as the canonical source for this repository. Security
 scanners, review agents, and vulnerability triagers should read
 `threat-model.md` before classifying findings.

 Findings that are out of model or by design under `threat-model.md`
 should be reported with that disposition instead of being treated as
 Doris vulnerabilities.
	# Security Policy

	Apache Doris security findings should be reported to
	`security@apache.org`. The Apache Security Team will route reports to
	the Doris project maintainers.

	For security scope, trust boundaries, attacker roles, explicit
	non-goals, and vulnerability triage classification, use
	`threat-model.md` as the canonical source for this repository. Security
	scanners, review agents, and vulnerability triagers should read
	`threat-model.md` before classifying findings.

	Findings that are out of model or by design under `threat-model.md`
	should be reported with that disposition instead of being treated as
	Doris vulnerabilities.