From 31babd0bd2f53c0c1d3df40085ab4ade16ffc4bd Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Tue, 16 Jun 2026 18:25:59 +0200
Subject: [PATCH] docs: clarify security model

This was previously discussed on the private security list and on
the commons-pmc slack, here it is now presented for public review.
---
 src/site/xdoc/security.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index d8f2588804..2413ef6b51 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -32,6 +32,19 @@
         incomplete, please report them privately to the Apache Security Team. Thank you.
       </p>
     </section>
+    <section name="Security Model">
+      <p>The <a href="https://commons.apache.org/security.html#Security_Model">Apache Commons security model</a> specifies
+        that it is unsafe to pass possibly malicious input to Commons libraries
+        unless otherwise specified.
+        For Commons BCEL, processing untrusted class data is supported to the extent that
+        this should never allow the supplier of the data to trigger arbitrary code execution,
+        filesystem or network access. It may still trigger other crashes, such as for example <code>StackOverflowError</code> or <code>OutOfMemoryError</code>:
+	if your code uses BCEL to process untrusted input
+	then it is up to you to compensate for that as necessary.
+	Loading or executing the generated classes is unsafe and may cause unexpected behaviour,
+	including execute arbitrary code execution.
+      </p>
+    </section>
     <section name="Security Vulnerabilities">
       <subsection name="CVE-2022-42920">
         <ul>