Improve security documentation page

docs/12-securityModel/01security-model.md → docs/12-security/01security.md

@@ -1,15 +1,17 @@
-# 安全模型
+# 安全
+
+## 安全模型
 
 Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性，但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
 
-## 1. 认证与授权（ACL）
+### 1. 认证与授权（ACL）
 
 - 自 RocketMQ 4.4.0 起支持 ACL 1.0
 - 5.3.0 起引入安全性更高的 **ACL 2.0**
 - 5.3.3 移除了 ACL 1.0
 - 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
 
-## 2. 控制台 (Dashboard) 与可观测组件暴露
+### 2. 控制台 (Dashboard) 与可观测组件暴露
 
 RocketMQ Dashboard 及部分可观测组件（例如 RocketMQ Prometheus Exporter）默认不启用强认证，任何可访问 HTTP 端口的用户都可读取集群元数据。强烈建议：
 
@@ -19,21 +21,34 @@ RocketMQ Dashboard 及部分可观测组件（例如 RocketMQ Prometheus Exporte
 
 > 否则可能导致信息泄露风险，该风险属于部署方责任而非 RocketMQ 漏洞。
 
-## 3. 传输加密与数据加密
+### 3. 传输加密与数据加密
 
 - 客户端与服务端可通过 TLS 加密通信，若数据中包含敏感信息可以开启
 - 消息体由业务定义，RocketMQ 不会解析或持久化解密后的内容
 - 若消息包含敏感信息，应在业务侧进行字段或整体加密，避免明文落盘
 
-## 4. 序列化与反序列化风险
+### 4. 序列化与反序列化风险
 
 - RocketMQ 仅传输字节数组，不做对象反序列化
 - 消费端若需反序列化，应选用安全格式（如 JSON-Binding、Protobuf 等），并对不可信数据进行校验
 
-## 5. SDK 与版本管理
+### 5. SDK 与版本管理
 
 - 始终使用官方最新稳定版客户端，以获得最新漏洞修复与改进
 
-## 6. 日志管理
+### 6. 日志管理
 
 - 请妥善保管 RocketMQ 相关日志（包括 Broker、Namesrver、Proxy、Client等），避免敏感信息泄漏
+
+## 安全策略
+
+Apache RocketMQ 是 Apache Software Foundation（ASF）旗下项目，遵循 ASF 的漏洞处理流程。
+
+### 漏洞报告
+
+如果你发现了新的安全漏洞，请遵循 ASF 官方的漏洞报告流程进行私下披露与提交：
+https://apache.org/security/#reporting-a-vulnerability
+
+为便于评估与修复，建议在报告中包含：受影响的组件/版本、复现步骤、影响说明，以及 PoC（如有）。
+
+> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。

docs/12-security/_category_.json

@@ -0,0 +1,4 @@
+{
+  "label": "安全",
+  "position": 13
+}

docusaurus.config.js

@@ -460,7 +460,7 @@ const darkCodeTheme = require("prism-react-renderer/themes/dracula");
                 },
                 {
                   label: 'Security',
-                  href: 'https://www.apache.org/security/',
+                  to: '/docs/security/01security',
                 },
                 {
                   label: 'Thanks',

i18n/en/docusaurus-plugin-content-docs/current.json

@@ -51,8 +51,8 @@
     "message": "Contribution Guide",
     "description": "The label for category 贡献指南 in sidebar myAutogeneratedSidebar"
   },
-  "sidebar.myAutogeneratedSidebar.category.安全模型": {
-    "message": "Security Model",
-    "description": "The label for category 安全模型 in sidebar myAutogeneratedSidebar"
+  "sidebar.myAutogeneratedSidebar.category.安全": {
+    "message": "Security",
+    "description": "The label for category 安全 in sidebar myAutogeneratedSidebar"
   }
 }

i18n/en/docusaurus-plugin-content-docs/current/12-securityModel/01security-model.md → i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md

@@ -1,15 +1,17 @@
-# Security Model
+# Security
+
+## Security Model
 
 The Apache RocketMQ project itself provides security features such as ACL and TLS, but the final security effectiveness still depends on the operator’s comprehensive protection of **network, hosts, accounts, and data**.
 
-## 1. Authentication and Authorization (ACL)
+### 1. Authentication and Authorization (ACL)
 
 - ACL 1.0 has been supported since RocketMQ 4.4.0
 - The more secure **ACL 2.0** was introduced in 5.3.0
 - ACL 1.0 was removed in 5.3.3
 - It is recommended that all users who use Apache RocketMQ ACL migrate to **ACL 2.0**
 
-## 2. Dashboard  &  Observability Exposure
+### 2. Dashboard  &  Observability Exposure
 
 RocketMQ Dashboard and some observability components (such as RocketMQ Prometheus Exporter) do **not** enable strong authentication by default; anyone who can access the HTTP port can read cluster metadata. Strongly recommended:
 
@@ -19,21 +21,34 @@ RocketMQ Dashboard and some observability components (such as RocketMQ Prometheu
 
 > Otherwise, information-leakage risks may occur; such risks are the responsibility of the deployment side rather than RocketMQ vulnerabilities.
 
-## 3. Transport Encryption and Data Encryption
+### 3. Transport Encryption and Data Encryption
 
 - Clients and servers can communicate through **TLS** encryption; enable it if sensitive data is involved
 - The message body is defined by the business; RocketMQ will **not** parse or persist decrypted content
 - If messages contain sensitive information, perform field-level or overall encryption on the business side to avoid storing plaintext
 
-## 4. Serialization and Deserialization Risks
+### 4. Serialization and Deserialization Risks
 
 - RocketMQ only transmits byte arrays and does **not** perform object deserialization
 - If consumers need to deserialize, they should choose secure formats (such as **JSON-Binding, Protobuf** etc.) and validate untrusted data
 
-## 5. SDK and Version Management
+### 5. SDK and Version Management
 
 - Always use the latest official stable client to obtain the latest vulnerability fixes and improvements
 
-## 6. Log Management
+### 6. Log Management
+
+- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy, Client**, etc.) to avoid leakage of sensitive information
+
+## Security Policy
+
+Apache RocketMQ is a project of the Apache Software Foundation (ASF) and follows the ASF vulnerability handling process.
+
+### Reporting a Vulnerability
+
+To report a new vulnerability you have discovered, please follow the ASF vulnerability reporting process:
+https://apache.org/security/#reporting-a-vulnerability
+
+To help us assess and address the issue, please include the affected component(s)/version(s), reproduction steps, impact analysis, and a PoC if available.
 
-- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy, Client**, etc.) to avoid leakage of sensitive information
+> Please do not disclose exploitable details via public issues, mailing lists, or social media before a fix is available.

i18n/en/docusaurus-plugin-content-docs/version-5.0.json

@@ -55,8 +55,8 @@
     "message": "Contribution Guide",
     "description": "The label for category 贡献指南 in sidebar myAutogeneratedSidebar"
   },
-  "sidebar.myAutogeneratedSidebar.category.安全模型": {
-    "message": "Security Model",
-    "description": "The label for category 安全模型 in sidebar myAutogeneratedSidebar"
+  "sidebar.myAutogeneratedSidebar.category.安全": {
+    "message": "Security",
+    "description": "The label for category 安全 in sidebar myAutogeneratedSidebar"
   }
 }

i18n/en/docusaurus-plugin-content-docs/version-5.0/14-securityModel/01security-model.md → i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md

@@ -1,15 +1,17 @@
-# Security Model
+# Security
+
+## Security Model
 
 The Apache RocketMQ project itself provides security features such as ACL and TLS, but the final security effectiveness still depends on the operator’s comprehensive protection of **network, hosts, accounts, and data**.
 
-## 1. Authentication and Authorization (ACL)
+### 1. Authentication and Authorization (ACL)
 
 - ACL 1.0 has been supported since RocketMQ 4.4.0
 - The more secure **ACL 2.0** was introduced in 5.3.0
 - ACL 1.0 was removed in 5.3.3
 - It is recommended that all users who use Apache RocketMQ ACL migrate to **ACL 2.0**
 
-## 2. Dashboard  &  Observability Exposure
+### 2. Dashboard  &  Observability Exposure
 
 RocketMQ Dashboard and some observability components (such as RocketMQ Prometheus Exporter) do **not** enable strong authentication by default; anyone who can access the HTTP port can read cluster metadata. Strongly recommended:
 
@@ -19,21 +21,34 @@ RocketMQ Dashboard and some observability components (such as RocketMQ Prometheu
 
 > Otherwise, information-leakage risks may occur; such risks are the responsibility of the deployment side rather than RocketMQ vulnerabilities.
 
-## 3. Transport Encryption and Data Encryption
+### 3. Transport Encryption and Data Encryption
 
 - Clients and servers can communicate through **TLS** encryption; enable it if sensitive data is involved
 - The message body is defined by the business; RocketMQ will **not** parse or persist decrypted content
 - If messages contain sensitive information, perform field-level or overall encryption on the business side to avoid storing plaintext
 
-## 4. Serialization and Deserialization Risks
+### 4. Serialization and Deserialization Risks
 
 - RocketMQ only transmits byte arrays and does **not** perform object deserialization
 - If consumers need to deserialize, they should choose secure formats (such as **JSON-Binding, Protobuf** etc.) and validate untrusted data
 
-## 5. SDK and Version Management
+### 5. SDK and Version Management
 
 - Always use the latest official stable client to obtain the latest vulnerability fixes and improvements
 
-## 6. Log Management
+### 6. Log Management
+
+- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy, Client**, etc.) to avoid leakage of sensitive information
+
+## Security Policy
+
+Apache RocketMQ is a project of the Apache Software Foundation (ASF) and follows the ASF vulnerability handling process.
+
+### Reporting a Vulnerability
+
+To report a new vulnerability you have discovered, please follow the ASF vulnerability reporting process:
+https://apache.org/security/#reporting-a-vulnerability
+
+To help us assess and address the issue, please include the affected component(s)/version(s), reproduction steps, impact analysis, and a PoC if available.
 
-- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy, Client**, etc.) to avoid leakage of sensitive information
+> Please do not disclose exploitable details via public issues, mailing lists, or social media before a fix is available.

i18n/en/docusaurus-theme-classic/footer.json

@@ -77,7 +77,7 @@
   },
   "link.item.label.Security": {
     "message": "Security",
-    "description": "The label of footer link with label=Security linking to https://www.apache.org/security/"
+    "description": "The label of footer link with label=Security linking to /docs/security/01security"
   },
   "link.item.label.Thanks": {
     "message": "Thanks",

versioned_docs/version-5.0/14-securityModel/01security-model.md → versioned_docs/version-5.0/14-security/01security.md

@@ -1,15 +1,17 @@
-# 安全模型
+# 安全
+
+## 安全模型
 
 Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性，但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
 
-## 1. 认证与授权（ACL）
+### 1. 认证与授权（ACL）
 
 - 自 RocketMQ 4.4.0 起支持 ACL 1.0
 - 5.3.0 起引入安全性更高的 **ACL 2.0**
 - 5.3.3 移除了 ACL 1.0
 - 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
 
-## 2. 控制台 (Dashboard) 与可观测组件暴露
+### 2. 控制台 (Dashboard) 与可观测组件暴露
 
 RocketMQ Dashboard 及部分可观测组件（例如 RocketMQ Prometheus Exporter）默认不启用强认证，任何可访问 HTTP 端口的用户都可读取集群元数据。强烈建议：
 
@@ -19,21 +21,37 @@ RocketMQ Dashboard 及部分可观测组件（例如 RocketMQ Prometheus Exporte
 
 > 否则可能导致信息泄露风险，该风险属于部署方责任而非 RocketMQ 漏洞。
 
-## 3. 传输加密与数据加密
+### 3. 传输加密与数据加密
 
 - 客户端与服务端可通过 TLS 加密通信，若数据中包含敏感信息可以开启
 - 消息体由业务定义，RocketMQ 不会解析或持久化解密后的内容
 - 若消息包含敏感信息，应在业务侧进行字段或整体加密，避免明文落盘
 
-## 4. 序列化与反序列化风险
+### 4. 序列化与反序列化风险
 
 - RocketMQ 仅传输字节数组，不做对象反序列化
 - 消费端若需反序列化，应选用安全格式（如 JSON-Binding、Protobuf 等），并对不可信数据进行校验
 
-## 5. SDK 与版本管理
+### 5. SDK 与版本管理
 
 - 始终使用官方最新稳定版客户端，以获得最新漏洞修复与改进
 
-## 6. 日志管理
+### 6. 日志管理
 
 - 请妥善保管 RocketMQ 相关日志（包括 Broker、Namesrver、Proxy、Client等），避免敏感信息泄漏
+
+
+## 安全策略
+
+Apache RocketMQ 是 Apache Software Foundation（ASF）旗下项目，遵循 ASF 的漏洞处理流程。
+
+### 漏洞报告
+
+如果你发现了新的安全漏洞，请遵循 ASF 官方的漏洞报告流程进行私下披露与提交：
+https://apache.org/security/#reporting-a-vulnerability
+
+为便于评估与修复，建议在报告中包含：受影响的组件/版本、复现步骤、影响说明，以及 PoC（如有）。
+
+> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。
+
+

versioned_docs/version-5.0/14-security/_category_.json

@@ -0,0 +1,4 @@
+{
+  "label": "安全",
+  "position": 14
+}