Please report suspected security vulnerabilities in Apache Hive privately
to the Hive security list at security@hive.apache.org, following the
Apache Software Foundation security process.
Do not open public GitHub issues or pull requests for security reports — a
private report lets the issue be investigated and fixed before disclosure.
A threat model for Apache Hive is maintained in
THREAT_MODEL.md. It describes the trust boundaries (the
HiveServer2 SQL front door, the Metastore, the query/UDF execution layer), the
adversaries in and out of scope, the security properties Hive upholds given its
deployment assumptions versus those left to the operator (transport security,
authorization-model choice, network isolation, UDF vetting), and the recurring
non-findings. Triagers of scanner, fuzzer, or AI-generated findings should
route each through THREAT_MODEL.md §13.
This file is v0 and carries open questions for the Hive PMC in
THREAT_MODEL.md §14.