Document Security Policy

README.md

@@ -42,7 +42,7 @@ This is a great place to meet other contributors and get guidance on where to co
 However, all technical designs should also be recorded and formalized in GitHub issues, so that they are accessible to everyone.
 In Slack, find us in the `#arrow-rust` channel and feel free to ask for an invite via Discord, GitHub issues, or other means.
 
-There is more information in the [contributing] guide.
+There is more information in the [contributing] guide and the [security] policy.
 
 ## Repository Structure
 
@@ -186,3 +186,4 @@ You can find more details about each crate in their respective READMEs.
 [issues]: https://github.com/apache/arrow-rs/issues
 [pull requests]: https://github.com/apache/arrow-rs/pulls
 [discussions]: https://github.com/apache/arrow-rs/discussions
+[security]: SECURITY.md

SECURITY.md

@@ -0,0 +1,83 @@
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# Security Policy
+
+This document outlines the security model for the Rust implementation of Apache Arrow (`arrow-rs`) and how to report vulnerabilities.
+
+## Security Model
+
+The `arrow-rs` project follows the [Apache Arrow Security Model]. In particular:
+
+- Reading data from untrusted sources (e.g., over a network or from a file) requires explicit validation.
+- Failure to validate untrusted data before use may lead to security issues.
+
+This implementation provides APIs such as [`ArrayData::validate_full`] to
+validate that Arrow data conforms to the specification.
+
+Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+malformed input is generally considered a **bug**, not a security
+vulnerability, unless it is **exploitable** and could allow an attacker to
+
+* Execute arbitrary code (Remote Code Execution);
+* Exfiltrate sensitive information from process memory (Information Disclosure);
+
+If that exploitation path is unclear, the issue should likely be reported as a
+bug.
+
+## Rust Safety, Soundness, and Undefined Behavior
+
+Rust has a very [specific definition of unsafe]. When unsafe behavior results
+from using safe code, the code is unsound and can lead to undefined behavior
+(UB), which may be exploitable.
+
+However, not all soundness issues are exploitable. In general, issues that
+result in undefined behavior using safe APIs are considered bugs unless they
+meet the exploitability bar defined above.
+
+We therefore avoid classifying all unsoundness bugs as security
+vulnerabilities (e.g. filing [RUSTSEC] and/or [CVE] advisories), which helps
+avoid unnecessary downstream churn and keeps our focus on the most critical issues.
+
+[specific definition of unsafe]: https://doc.rust-lang.org/book/ch20-01-unsafe-rust.html
+[rustsec]: https://rustsec.org/
+[cve]: https://cve.mitre.org/
+
+## Reporting a Bug
+
+We treat all bugs seriously and welcome help fixing them. If you find a bug
+that does not meet the criteria for a security vulnerability, please report it
+in the public issue tracker.
+
+## Reporting a Vulnerability
+
+For security vulnerabilities, please follow the responsible disclosure process
+below so we can investigate and fix the issue before it is exploited in the
+wild.
+
+**Do not file a public issue.** Follow the [ASF security reporting process] by emailing [security@apache.org](mailto:security@apache.org).
+
+Include in your report:
+- A clear description and minimal reproducer.
+- Affected crates and versions.
+- Potential impact.
+
+[Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html
+[`ArrayData::validate_full`]: https://docs.rs/arrow/latest/arrow/array/struct.ArrayData.html#method.validate_full
+[ASF security reporting process]: https://www.apache.org/security/#reporting-a-vulnerability

arrow-avro/README.md

@@ -212,9 +212,11 @@ async fn main() -> anyhow::Result<()> {
 * **Confluent Schema Registry wire format**: 1‑byte magic `0x00` + 4‑byte BE schema ID + Avro body; supports decode + encode helpers.
 * **Avro Single‑Object Encoding (SOE)**: 2‑byte magic `0xC3 0x01` + 8‑byte LE CRC‑64‑AVRO fingerprint + Avro body; supports decode + encode helpers.
 
----
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
 
-## Examples
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
 
 * Read/write OCF in memory and from files (see crate docs “OCF round‑trip”).
 * Confluent wire‑format and SOE quickstarts are provided as runnable snippets in docs.

arrow-csv/README.md

@@ -0,0 +1,33 @@
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# `arrow-csv`
+
+Support for reading and writing CSV files to and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-csv/latest
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md

arrow-flight/README.md

@@ -81,4 +81,9 @@ $ flight_sql_client --host example.com statement-query "SELECT 1;"
 +----------+
 ```
 
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
 [apache arrow flightsql]: https://arrow.apache.org/docs/format/FlightSql.html
+[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md

arrow-ipc/README.md

@@ -0,0 +1,34 @@
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# `arrow-ipc`
+
+Support for reading and writing files and streams in the [Arrow IPC Format] to and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[Arrow IPC Format]: https://arrow.apache.org/docs/format/Columnar.html#format-ipc
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-ipc/latest
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md

arrow-json/README.md

@@ -0,0 +1,33 @@
+<!---
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# `arrow-json`
+
+Support for reading and writing JSON to and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-json/latest
+[Security Policy]: ../SECURITY.md

arrow/README.md

@@ -76,6 +76,25 @@ The `arrow` crate provides the following features which may be enabled in your `
 
 The [Apache Arrow Status](https://arrow.apache.org/docs/status.html) page lists which features of Arrow this crate supports.
 
+
+## Security
+
+`arrow-rs` follows the [Apache Arrow Security Model].
+
+Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+malformed input, and instances of undefined behavior (UB) triggered via safe
+APIs are considered bugs rather than security vulnerabilities unless they are exploitable
+by an attacker to
+
+* Execute arbitrary code (Remote Code Execution);
+* Exfiltrate sensitive information from process memory (Information Disclosure);
+
+We welcome your help in fixing such bugs and security issues. See our
+[Security Policy] for reporting.
+
+[Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
 ## Safety
 
 Arrow seeks to uphold the Rust Soundness Pledge as articulated eloquently [here](https://raphlinus.github.io/rust/2020/01/18/soundness-pledge.html). Specifically:

arrow/src/lib.rs

@@ -335,14 +335,34 @@
 //! * [`parquet`](https://docs.rs/parquet) - support for [Apache Parquet]
 //! * [`arrow-avro`](https://docs.rs/arrow-avro) - support for [Apache Avro]
 //!
-//! # Safety and Security
+//! # Security
 //!
-//! Like many crates, this crate makes use of unsafe where prudent. However, it endeavours to be
-//! sound. Specifically, **it should not be possible to trigger undefined behaviour using safe APIs.**
+//! This project follows the [Apache Arrow Security Model].
 //!
-//! If you think you have found an instance where this is possible, please file
-//! a ticket in our [issue tracker] and it will be triaged and fixed. For more information on
-//! arrow's use of unsafe, see [here](https://github.com/apache/arrow-rs/tree/main/arrow#safety).
+//! Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+//! malformed input is considered a **bug**, not a security vulnerability,
+//! unless it is **exploitable** by an attacker to
+//!
+//! * Execute arbitrary code (Remote Code Execution);
+//! * Exfiltrate sensitive information from process memory (Information Disclosure);
+//!
+//! If you think you have found a security vulnerability, please follow the
+//! reporting instructions in the [security policy].
+//!
+//! [security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+//!
+//! # Safety
+//!
+//! Like many crates, this crate makes use of `unsafe` where prudent. However, it endeavors to be
+//! sound. Specifically, **it should not be possible to trigger undefined behavior using safe APIs.**
+//!
+//! Undefined behavior using safe APIs is considered a bug, not a security
+//! vulnerability, unless it can be exploited. Please see the [security policy]
+//! for details.
+//!
+//! For more information on the use of `unsafe`, see [here](https://github.com/apache/arrow-rs/tree/main/arrow#safety).
+//!
+//! [Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html
 //!
 //! # Higher-level Processing
 //!

parquet/README.md

@@ -79,6 +79,12 @@ information on the status of this implementation.
 [implementation status page]: https://parquet.apache.org/docs/file-format/implementationstatus/
 [apache parquet]: https://parquet.apache.org/
 
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
+[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
 ## License
 
 Licensed under the Apache License, Version 2.0: <http://www.apache.org/licenses/LICENSE-2.0>.

parquet_derive/README.md

@@ -144,6 +144,12 @@ To compile and test doctests, run `cargo test --doc -- --show-output`
 To build documentation, run `cargo doc --no-deps`.
 To compile and view in the browser, run `cargo doc --no-deps --open`.
 
+## Security
+
+See the [Security Policy] for information on the security model and how to report vulnerabilities.
+
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
 ## License
 
-Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.
+Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.