Skip to content

Add a draft security threat model (THREAT_MODEL.md) + SECURITY.md + discoverability wiring#1224

Open
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:asf-security/threat-model-2026-07-04
Open

Add a draft security threat model (THREAT_MODEL.md) + SECURITY.md + discoverability wiring#1224
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:asf-security/threat-model-2026-07-04

Conversation

@potiuk

@potiuk potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member

This is a proposal for the Guacamole PMC to review — please correct, reject, or discuss as needed. The PMC owns the document; nothing here is a requirement.

This adds a draft umbrella THREAT_MODEL.md for the Apache Guacamole family, a SECURITY.md (the code repos don't currently carry one — the security policy lives only at guacamole.apache.org/security), and an AGENTS.md wiring AGENTS.md -> SECURITY.md -> THREAT_MODEL.md so an automated scanner can mechanically discover it. Path 3 as agreed on the list (we draft the v0, the PMC reviews). It lands on apache/guacamole-client as the canonical home; guacamole-server and guacamole-website get small pointer PRs to it once you're happy with the shape.

Generated from Guacamole's public artefacts (the security page, docs, advisory history) via the threat-model-producer rubric. Provenance-tagged throughout; every (inferred) claim routes to a numbered §14 question (15 of them).

The model's spine is the guacd(C) / client(Java) / website(static) split:

  • guacd + libguac + the C protocol plugins are modeled as the primary memory-safety surface — untrusted data from the remote desktop server flowing back into C parsers (anchored to the real CVE history: the 2020 "Reverse RDP" set, the VNC/RDP/SSH parsing CVEs);
  • guacamole-client as the authn/authz + tunnel surface;
  • guacamole-website is explicitly out of model for runtime findings, in scope only for discoverability.

Two calls we'd especially value your confirmation on (both in §14 wave 1): (1) guacd is not an auth boundary and must be kept off untrusted networks — a report against an exposed :4822 is a misconfiguration, not an in-model bug; (2) the plaintext/unauthenticated webapp↔guacd default (guacd-ssl off on a trusted segment) as the supported production posture.

What's most useful: walk the §14 questions and confirm / correct / strike each — a one-liner each is enough. This PR only adds files; it edits no existing content.

Context: the ASF Security team is preparing projects for an automated agentic security scan we're piloting; discoverability is the one hard prerequisite.

…iscoverability wiring

Generated-by: Claude Code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant