blob: e36dd8ac592f8e17012ca5d5b094f68ae39db62f [file] [view]
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [TODO: `<Project Name>` — Security Model reference](#todo-project-name--security-model-reference)
- [Authoritative URL](#authoritative-url)
- [Known-useful anchors](#known-useful-anchors)
- [Drafting rule](#drafting-rule)
- [Public security policy](#public-security-policy)
- [Severity-rating reference](#severity-rating-reference)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# TODO: `<Project Name>` — Security Model reference
This file is the project-specific reference to the project's
**Security Model**, which the canned responses and validity
assessments cite as the authoritative answer to *"is this a
vulnerability in `<Project>`?"*.
Project-agnostic drafting rules (tone, brevity, threading) live in
the repo-level [`../../AGENTS.md`](../../AGENTS.md). The *content*
the responses link to is what lives here.
## Authoritative URL
TODO: the URL to the project's public Security Model. Canned
responses must link directly to the relevant chapter instead of
paraphrasing it; paraphrases drift over time and create a second
source of truth that has to be maintained.
Example shape:
> The [`<Project>` Security Model](TODO: URL) is the authoritative
> source for what is and is not considered a security vulnerability
> in `<Project>`.
## Known-useful anchors
TODO: list anchor fragments that canned responses commonly link to.
One anchor per bullet, slug-form.
Example shape:
- `#capabilities-of-X`
- `#Y-executing-arbitrary-code`
## Drafting rule
When adding a new canned response, identify the matching chapter in
the Security Model first. If no chapter covers the case, that is a
signal the Security Model should be updated **upstream** (in the
project's source repository) rather than duplicated in
[`canned-responses.md`](canned-responses.md).
## Public security policy
TODO: the project's public-facing `SECURITY.md` or equivalent URL
(what reporters are expected to follow).
## Severity-rating reference
TODO: for ASF projects, the
[ASF Severity Rating blog post](https://security.apache.org/blog/severityrating)
is the rubric. For other projects, point at whatever rubric the
team uses when scoring severity. Reporter-supplied CVSS scores are
informational only — the ASF-level rule that governs this is in
the repo-level
[`../../AGENTS.md`](../../AGENTS.md#reporter-supplied-cvss-scores-are-informational-only--never-propagate-them)
(it is not project-specific).