From 3db3dce9b3ec2066cedc200412f2684c8fa1a6a2 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Tue, 10 Mar 2026 21:03:25 +0100
Subject: [PATCH 1/2] docs: document security model

---
 src/site/xdoc/security.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 4e3de64ec82..7d3b55c3b97 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -31,6 +31,26 @@
         of the Commons project</a>.</p>
       </section>
 
+      <section name="Security Model">
+        <p>Commons Compress may be used to process untrusted input data.
+        This should not trigger network access, unbounded deserialization
+        or code execution. It may require processing power proportional to
+        the size of the input. An input causing an OutOfMemoryError,
+        StackOverflowError, or another Error may be accepted as a DoS
+        vulnerability when it is unexpected based on the size of the input
+        and the resources (RAM, disk, etc) allocated to the process.</p>
+
+        <p>Input causing any other RuntimeException is expected and not a
+        vulnerability, but may be a regular bug when a more appropriate
+        Exception is available</p>
+
+        <p>Regular API parameters are typically designed to work with input
+        that is either trusted or validated/sanitized by the application
+	using the library unless otherwise specified, in accordance with
+	the general <a href="https://commons.apache.org/security.html#Security_Model">
+	Apache Commons Security Model</a>.</p>
+      </section>
+
       <section name="Apache Commons Compress Security Vulnerabilities">
         <p>This page lists all security vulnerabilities fixed in
         released versions of Apache Commons Compress. Each

From 3d14d5324a71c0f7b4426f2fdb023d5d0b9756dc Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@users.noreply.github.com>
Date: Tue, 10 Mar 2026 20:26:57 -0400
Subject: [PATCH 2/2] End sentence with a period.

---
 src/site/xdoc/security.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 7d3b55c3b97..09092c38ca7 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -42,7 +42,7 @@
 
         <p>Input causing any other RuntimeException is expected and not a
         vulnerability, but may be a regular bug when a more appropriate
-        Exception is available</p>
+        Exception is available.</p>
 
         <p>Regular API parameters are typically designed to work with input
         that is either trusted or validated/sanitized by the application