Skip to content

Document Security Policy#9730

Open
alamb wants to merge 5 commits intoapache:mainfrom
alamb:alamb/security_model
Open

Document Security Policy#9730
alamb wants to merge 5 commits intoapache:mainfrom
alamb:alamb/security_model

Conversation

@alamb
Copy link
Copy Markdown
Contributor

@alamb alamb commented Apr 15, 2026

Which issue does this PR close?

Rationale for this change

Other arrow subprojects (C++ in particular) has been beset recently by a deluge of low quality bug reports masquerading as security problems.

To reduce this flow and make it easier to direct people to the appropriate bug vs feature venue, we should document our security posture better

What changes are included in this PR?

  1. Add SECURITY.md
  2. Clarify what is a bug vs a security issue
  3. Sprinkle links to SECURITY around

Are these changes tested?

By CI

Are there any user-facing changes?

yes, new policyt

@github-actions github-actions bot added parquet Changes to the parquet crate arrow Changes to the arrow crate arrow-flight Changes to the arrow-flight crate parquet-derive arrow-avro arrow-avro crate labels Apr 15, 2026
@alamb alamb changed the title Alamb/security model Document Security Policy Apr 15, 2026
@alamb alamb added the documentation Improvements or additions to documentation label Apr 15, 2026
@alamb alamb marked this pull request as ready for review April 15, 2026 12:53
@alamb
Copy link
Copy Markdown
Contributor Author

alamb commented Apr 15, 2026

FYI @scovich @Jefffrey @etseidl @tustvold @jhorstmann, and @crepererum who may be interested in commenting on this policy

@alamb alamb mentioned this pull request Apr 15, 2026
Open
scovich
scovich reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@scovich scovich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The doc and associated link sprinkling seem very reasonable and welcome, but I don't think I understand how this will "reduce the flow" of "a deluge of low quality bug reports masquerading as security problems" ?

Or does it just make it easier to summarily close them because they don't follow the official guidelines?

tustvold
tustvold reviewed Apr 15, 2026
View reviewed changes
Comment thread SECURITY.md
- Reading data from untrusted sources (e.g., over a network or from a file) requires explicit validation.
- Failure to validate untrusted data before use may lead to security issues. This implementation provides APIs to validate Arrow data. For example, [`ArrayData::validate_full`] can be used to ensure that data conforms to the Arrow specification.

## Rust Safety and Undefined Behavior
Copy link
Copy Markdown
Contributor

@tustvold tustvold Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should define what exploitable means, as it is so important to this section.

Perhaps inline whatever gets merged from https://github.com/apache/arrow/pull/49761/changes or at least link to it

@alamb
Copy link
Copy Markdown
Contributor Author

alamb commented Apr 15, 2026

The doc and associated link sprinkling seem very reasonable and welcome,

❤️

but I don't think I understand how this will "reduce the flow" of "a deluge of low quality bug reports masquerading as security problems" ?

Or does it just make it easier to summarily close them because they don't follow the official guidelines?

Yes, basically having this documented means that upstream filters (aka the apache security team) can point to these guidelines if they get reports that are bugs. At the moment in Arrow sometimes it is not clear which crash is a security issue and which is just a bug

I think we should define what exploitable means, as it is so important to this section.

Yes that is an excellent idea and I will do so

etseidl
etseidl approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@etseidl etseidl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks for doing this @alamb.

Comment thread arrow/src/lib.rs Outdated
Comment thread parquet/README.md
[`simdutf8`]: https://crates.io/crates/simdutf8
[parquet variant]: https://github.com/apache/parquet-format/blob/master/VariantEncoding.md

## Parquet Feature Status
Copy link
Copy Markdown
Contributor

@etseidl etseidl Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this section removed?

Copy link
Copy Markdown
Contributor Author

@alamb alamb Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦 -- not sure -- will revert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tustvold tustvold tustvold left review comments

@scovich scovich scovich left review comments

@etseidl etseidl etseidl approved these changes

Assignees

No one assigned

Labels

arrow Changes to the arrow crate arrow-avro arrow-avro crate arrow-flight Changes to the arrow-flight crate documentation Improvements or additions to documentation parquet Changes to the parquet crate parquet-derive

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add a security policy for arrow-rs

4 participants

@alamb @tustvold @scovich @etseidl