apache · Jens-G · May 22, 2026
diff --git a/AGENTS.md b/AGENTS.md
@@ -84,7 +84,25 @@ Per [`CONTRIBUTING.md § AI generated content`](CONTRIBUTING.md#ai-generated-con
 
 ---
 
-## 6. Quick Reference Checklist (before opening a PR)
+## 6. Security Work
+
+When assisting with security-sensitive changes (transport size limits, TLS configuration,
+authentication, serialization bounds, or anything flagged by the project's security team):
+
+- **Never** describe the change as a security fix in public-facing text — commit messages,
+  PR titles, PR descriptions, or inline comments.  Use neutral functional language:
+  *"add a configurable frame-size limit"* rather than *"fix DoS vulnerability"*.
+  Vulnerability details travel through the private ASF channel (`security@apache.org`);
+  AI tooling must not short-circuit that process.
+- Before proposing mitigations or defaults, consult
+  [`doc/thrift-threat-model.md`](doc/thrift-threat-model.md) for the project's documented
+  attack surface, trust boundaries, and per-binding security properties.
+- External reporters and AI reviewers alike should follow the instructions in
+  [`SECURITY.md`](SECURITY.md) for responsible disclosure.
+
+---
+
+## 7. Quick Reference Checklist (before opening a PR)
 
 - [ ] License of any new dependency checked against [ASF Category A/X list](https://www.apache.org/legal/resolved.html)
 - [ ] `LICENSE` and/or `NOTICE` updated if third-party attribution is required
@@ -95,3 +113,5 @@ Per [`CONTRIBUTING.md § AI generated content`](CONTRIBUTING.md#ai-generated-con
 - [ ] Tests added or updated
 - [ ] `make style` passes
 - [ ] AI authorship labelled with `Co-Authored-By:` / `Generated-by:` where applicable
+- [ ] Security-sensitive changes use neutral commit/PR language (no public vulnerability details)
+- [ ] Changes touching transport limits / TLS / auth cross-checked against `doc/thrift-threat-model.md`
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Apache Thrift follows the
+[Apache Software Foundation vulnerability handling process](https://www.apache.org/security/).
+
+**Do not report security vulnerabilities through public GitHub issues, pull requests, or
+discussion threads.**
+
+Send a report to **[security@apache.org](mailto:security@apache.org)** with:
+
+- Apache Thrift version(s) affected
+- Language binding(s) affected
+- A clear description of the issue and its potential impact
+- Reproduction steps or a minimal proof-of-concept (where safe to include)
+
+The Apache Security Team will acknowledge receipt within a few days and will work with the
+project's security team to assess and remediate the issue before coordinating public
+disclosure.
+
+## Threat Model
+
+The project maintains a threat model document at
+[`doc/thrift-threat-model.md`](doc/thrift-threat-model.md).
+It describes the attack surface, trust boundaries, transport-level security properties,
+and known design trade-offs for all supported language bindings.
+
+## Past Advisories
+
+Past security advisories are published on the
+[Apache Thrift security page](https://thrift.apache.org/security) and on the
+[ASF security advisories page](https://www.apache.org/security/projects.html).