This file is read by automated agents (security scanners, code analyzers, AI assistants) operating on this repository. It points them at the human-authored references they should consult before producing output.
The authoritative security threat model for Apache APISIX is
at docs/en/latest/security-threat-model.md.
Agents producing security-relevant analysis against this repository should consult that document first — in particular the §4.3 (out of scope), §4.9 (properties NOT provided), §4.11a (known non-findings), and §4.13 (triage dispositions) sections, which govern whether a given finding is in-scope for Apache APISIX itself or out-of-scope (operator misconfiguration, downstream concern, etc.).