From c3db7b6b2b4c1eb443ea7eab88f5bd9be52055df Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <antoine@python.org>
Date: Thu, 5 Feb 2026 16:16:44 +0100
Subject: [PATCH 1/9] Announce Arrow security model

---
 _posts/2023-11-09-14.0.1-release.md       |  2 +-
 _posts/2026-02-05-arrow-security-model.md | 46 +++++++++++++++++++++++
 security.md                               | 16 ++++++--
 3 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 _posts/2026-02-05-arrow-security-model.md

diff --git a/_posts/2023-11-09-14.0.1-release.md b/_posts/2023-11-09-14.0.1-release.md
index e5c2487a91e5..1f941ecb97fa 100644
--- a/_posts/2023-11-09-14.0.1-release.md
+++ b/_posts/2023-11-09-14.0.1-release.md
@@ -3,7 +3,7 @@ layout: post
 title: "Apache Arrow 14.0.1 Release"
 date: "2023-11-09 00:00:00"
 author: pmc
-categories: [release]
+categories: [release, security]
 ---
 <!--
 {% comment %}
diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
new file mode 100644
index 000000000000..4d29e5c87ea8
--- /dev/null
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -0,0 +1,46 @@
+---
+layout: post
+title: "Introducing the Arrow security model"
+date: "2026-02-05 00:00:00"
+author: pmc
+categories: [arrow, security]
+---
+<!--
+{% comment %}
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+{% endcomment %}
+-->
+
+We are thrilled to announce the official publication of a
+[Security model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
+
+The Arrow security model covers a core subset of the Arrow specifications:
+the [Arrow columnar format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
+[Arrow IPC format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+It sets expectations and gives guidelines for handling data coming from
+untrusted sources.
+
+The specifications covered by the Arrow security model are building blocks for
+all the other Arrow specifications, such as Flight and ADBC.
+
+The ideas underlying the Arrow security model were informally shared between
+Arrow maintainers and have informed decisions for years, but they were left
+undocumented until now.
+
+Implementation-specific security considerations, such as proper API usage and
+runtime safety guarantees, will later be covered in these implementations'
+respective documentations.
diff --git a/security.md b/security.md
index 32924f95bff8..f3f1c056cfc1 100644
--- a/security.md
+++ b/security.md
@@ -6,9 +6,19 @@ description: Security
 
 # Reporting Security Issues
 
-Apache Arrow uses the standard process outlined by the [Apache Security Team](https://www.apache.org/security/) for reporting vulnerabilities. Note that vulnerabilities should not be publicly disclosed until the project has responded.
-
-To report a possible security vulnerability, please email [private@arrow.apache.org](mailto:private@arrow.apache.org).
+We take security seriously and would like usage our project to be as robust and
+dependable as possible. If you believe to have found a security bug, please do
+not file a public issue.
+
+First, please carefully read the Apache Arrow
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html)
+and understand its implications, as some apparent security issues can actually
+be usage issues.
+
+Second, please follow the standard [vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+outlined by the Apache Software Foundation. We will assess your report, follow
+up with our evaluation of the issue, and fix it as soon as possible if we deem
+it to be an actual security vulnerability.
 
 <hr class="my-5">
 

From 657e9aeef54dfa8a93a74159fed172a47c493a01 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:34:59 +0100
Subject: [PATCH 2/9] Update _posts/2026-02-05-arrow-security-model.md

Co-authored-by: Bryce Mecum <petridish@gmail.com>
---
 _posts/2026-02-05-arrow-security-model.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
index 4d29e5c87ea8..9778fae1f3aa 100644
--- a/_posts/2026-02-05-arrow-security-model.md
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -1,6 +1,6 @@
 ---
 layout: post
-title: "Introducing the Arrow security model"
+title: "Introducing a Security Model for Arrow"
 date: "2026-02-05 00:00:00"
 author: pmc
 categories: [arrow, security]

From 73a34d612e3b1d19d1272da08f68849ef433ad9b Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:35:06 +0100
Subject: [PATCH 3/9] Update _posts/2026-02-05-arrow-security-model.md

Co-authored-by: Bryce Mecum <petridish@gmail.com>
---
 _posts/2026-02-05-arrow-security-model.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
index 9778fae1f3aa..305579d5d412 100644
--- a/_posts/2026-02-05-arrow-security-model.md
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -28,7 +28,7 @@ We are thrilled to announce the official publication of a
 [Security model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
 
 The Arrow security model covers a core subset of the Arrow specifications:
-the [Arrow columnar format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
 the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
 [Arrow IPC format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
 It sets expectations and gives guidelines for handling data coming from

From 6b55b4d8a9145d4ba0f961b8e57d16a5f9248e6d Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:35:12 +0100
Subject: [PATCH 4/9] Update _posts/2026-02-05-arrow-security-model.md

Co-authored-by: Bryce Mecum <petridish@gmail.com>
---
 _posts/2026-02-05-arrow-security-model.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
index 305579d5d412..088b0a640847 100644
--- a/_posts/2026-02-05-arrow-security-model.md
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -25,7 +25,7 @@ limitations under the License.
 -->
 
 We are thrilled to announce the official publication of a
-[Security model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
 
 The Arrow security model covers a core subset of the Arrow specifications:
 the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),

From 516ef2937cc5757a286d8a6aab59381d505713f5 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:35:18 +0100
Subject: [PATCH 5/9] Update _posts/2026-02-05-arrow-security-model.md

Co-authored-by: Bryce Mecum <petridish@gmail.com>
---
 _posts/2026-02-05-arrow-security-model.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
index 088b0a640847..4edafcb67980 100644
--- a/_posts/2026-02-05-arrow-security-model.md
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -30,7 +30,7 @@ We are thrilled to announce the official publication of a
 The Arrow security model covers a core subset of the Arrow specifications:
 the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
 the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
-[Arrow IPC format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+[Arrow IPC Format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
 It sets expectations and gives guidelines for handling data coming from
 untrusted sources.
 

From 463c6a0e0b5efb633ae120ffffd2c4e05cd0f48a Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:35:26 +0100
Subject: [PATCH 6/9] Update _posts/2026-02-05-arrow-security-model.md

Co-authored-by: Bryce Mecum <petridish@gmail.com>
---
 _posts/2026-02-05-arrow-security-model.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
index 4edafcb67980..8a025c3148d3 100644
--- a/_posts/2026-02-05-arrow-security-model.md
+++ b/_posts/2026-02-05-arrow-security-model.md
@@ -42,5 +42,5 @@ Arrow maintainers and have informed decisions for years, but they were left
 undocumented until now.
 
 Implementation-specific security considerations, such as proper API usage and
-runtime safety guarantees, will later be covered in these implementations'
-respective documentations.
+runtime safety guarantees, will later be covered in the documentation of the
+respective implementations.

From b985f03e67eacd7899416679da7b7bcc4d90597b Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <pitrou@free.fr>
Date: Thu, 5 Feb 2026 19:36:22 +0100
Subject: [PATCH 7/9] Apply suggestion from @pitrou

---
 security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security.md b/security.md
index f3f1c056cfc1..15356798c917 100644
--- a/security.md
+++ b/security.md
@@ -6,7 +6,7 @@ description: Security
 
 # Reporting Security Issues
 
-We take security seriously and would like usage our project to be as robust and
+We take security seriously and would like our project to be as robust and
 dependable as possible. If you believe to have found a security bug, please do
 not file a public issue.
 

From 4c83b31af8e37de9785b55c616bd1bc3ee66535a Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <antoine@python.org>
Date: Thu, 5 Feb 2026 16:16:44 +0100
Subject: [PATCH 8/9] Announce Arrow security model

---
 _posts/2023-11-09-14.0.1-release.md       |  2 +-
 _posts/2026-02-09-arrow-security-model.md | 46 +++++++++++++++++++++++
 security.md                               | 16 ++++++--
 3 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 _posts/2026-02-09-arrow-security-model.md

diff --git a/_posts/2023-11-09-14.0.1-release.md b/_posts/2023-11-09-14.0.1-release.md
index e5c2487a91e5..1f941ecb97fa 100644
--- a/_posts/2023-11-09-14.0.1-release.md
+++ b/_posts/2023-11-09-14.0.1-release.md
@@ -3,7 +3,7 @@ layout: post
 title: "Apache Arrow 14.0.1 Release"
 date: "2023-11-09 00:00:00"
 author: pmc
-categories: [release]
+categories: [release, security]
 ---
 <!--
 {% comment %}
diff --git a/_posts/2026-02-09-arrow-security-model.md b/_posts/2026-02-09-arrow-security-model.md
new file mode 100644
index 000000000000..b5009a0ce53d
--- /dev/null
+++ b/_posts/2026-02-09-arrow-security-model.md
@@ -0,0 +1,46 @@
+---
+layout: post
+title: "Introducing the Arrow security model"
+date: "2026-02-09 00:00:00"
+author: pmc
+categories: [arrow, security]
+---
+<!--
+{% comment %}
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+{% endcomment %}
+-->
+
+We are thrilled to announce the official publication of a
+[Security model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
+
+The Arrow security model covers a core subset of the Arrow specifications:
+the [Arrow columnar format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
+[Arrow IPC format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+It sets expectations and gives guidelines for handling data coming from
+untrusted sources.
+
+The specifications covered by the Arrow security model are building blocks for
+all the other Arrow specifications, such as Flight and ADBC.
+
+The ideas underlying the Arrow security model were informally shared between
+Arrow maintainers and have informed decisions for years, but they were left
+undocumented until now.
+
+Implementation-specific security considerations, such as proper API usage and
+runtime safety guarantees, will later be covered in these implementations'
+respective documentations.
diff --git a/security.md b/security.md
index 32924f95bff8..b2b39ec5d7cb 100644
--- a/security.md
+++ b/security.md
@@ -6,9 +6,19 @@ description: Security
 
 # Reporting Security Issues
 
-Apache Arrow uses the standard process outlined by the [Apache Security Team](https://www.apache.org/security/) for reporting vulnerabilities. Note that vulnerabilities should not be publicly disclosed until the project has responded.
-
-To report a possible security vulnerability, please email [private@arrow.apache.org](mailto:private@arrow.apache.org).
+We take security seriously and would like usage our project to be as robust and
+dependable as possible. If you believe to have found a security bug, please do
+not file a public issue.
+
+First, please carefully read the Apache Arrow
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html)
+and understand its implications for untrusted data, as some apparent security
+issues can actually be usage issues.
+
+Second, please follow the standard [vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+outlined by the Apache Software Foundation. We will assess your report, follow
+up with our evaluation of the issue, and fix it as soon as possible if we deem
+it to be an actual security vulnerability.
 
 <hr class="my-5">
 

From d4e3b0ef8853062603c85d9e0969f14e6102cf2d Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <antoine@python.org>
Date: Mon, 9 Feb 2026 09:19:39 +0100
Subject: [PATCH 9/9] Fixes

---
 _posts/2026-02-05-arrow-security-model.md | 46 -----------------------
 _posts/2026-02-09-arrow-security-model.md | 12 +++---
 2 files changed, 6 insertions(+), 52 deletions(-)
 delete mode 100644 _posts/2026-02-05-arrow-security-model.md

diff --git a/_posts/2026-02-05-arrow-security-model.md b/_posts/2026-02-05-arrow-security-model.md
deleted file mode 100644
index 8a025c3148d3..000000000000
--- a/_posts/2026-02-05-arrow-security-model.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-layout: post
-title: "Introducing a Security Model for Arrow"
-date: "2026-02-05 00:00:00"
-author: pmc
-categories: [arrow, security]
----
-<!--
-{% comment %}
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements.  See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to you under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License.  You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-{% endcomment %}
--->
-
-We are thrilled to announce the official publication of a
-[Security Model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
-
-The Arrow security model covers a core subset of the Arrow specifications:
-the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
-the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
-[Arrow IPC Format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
-It sets expectations and gives guidelines for handling data coming from
-untrusted sources.
-
-The specifications covered by the Arrow security model are building blocks for
-all the other Arrow specifications, such as Flight and ADBC.
-
-The ideas underlying the Arrow security model were informally shared between
-Arrow maintainers and have informed decisions for years, but they were left
-undocumented until now.
-
-Implementation-specific security considerations, such as proper API usage and
-runtime safety guarantees, will later be covered in the documentation of the
-respective implementations.
diff --git a/_posts/2026-02-09-arrow-security-model.md b/_posts/2026-02-09-arrow-security-model.md
index b5009a0ce53d..95a1a3f3dd6f 100644
--- a/_posts/2026-02-09-arrow-security-model.md
+++ b/_posts/2026-02-09-arrow-security-model.md
@@ -1,6 +1,6 @@
 ---
 layout: post
-title: "Introducing the Arrow security model"
+title: "Introducing a Security Model for Arrow"
 date: "2026-02-09 00:00:00"
 author: pmc
 categories: [arrow, security]
@@ -25,12 +25,12 @@ limitations under the License.
 -->
 
 We are thrilled to announce the official publication of a
-[Security model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
 
 The Arrow security model covers a core subset of the Arrow specifications:
-the [Arrow columnar format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
 the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
-[Arrow IPC format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+[Arrow IPC Format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
 It sets expectations and gives guidelines for handling data coming from
 untrusted sources.
 
@@ -42,5 +42,5 @@ Arrow maintainers and have informed decisions for years, but they were left
 undocumented until now.
 
 Implementation-specific security considerations, such as proper API usage and
-runtime safety guarantees, will later be covered in these implementations'
-respective documentations.
+runtime safety guarantees, will later be covered in the documentation of the
+respective implementations.