apache · pitrou · Feb 9, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/_posts/2023-11-09-14.0.1-release.md b/_posts/2023-11-09-14.0.1-release.md
@@ -3,7 +3,7 @@ layout: post
 title: "Apache Arrow 14.0.1 Release"
 date: "2023-11-09 00:00:00"
 author: pmc
-categories: [release]
+categories: [release, security]
 ---
 <!--
 {% comment %}

diff --git a/_posts/2026-02-09-arrow-security-model.md b/_posts/2026-02-09-arrow-security-model.md
@@ -0,0 +1,46 @@
+---
+layout: post
+title: "Introducing a Security Model for Arrow"
+date: "2026-02-09 00:00:00"
+author: pmc
+categories: [arrow, security]
+---
+<!--
+{% comment %}
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+{% endcomment %}
+-->
+
+We are thrilled to announce the official publication of a
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html) for Apache Arrow.
+
+The Arrow security model covers a core subset of the Arrow specifications:
+the [Arrow Columnar Format](https://arrow.apache.org/docs/dev/format/Columnar.html),
+the [Arrow C Data Interface](https://arrow.apache.org/docs/dev/format/CDataInterface.html) and the
+[Arrow IPC Format](https://arrow.apache.org/docs/dev/format/Columnar.html#serialization-and-interprocess-communication-ipc).
+It sets expectations and gives guidelines for handling data coming from
+untrusted sources.
+
+The specifications covered by the Arrow security model are building blocks for
+all the other Arrow specifications, such as Flight and ADBC.
+
+The ideas underlying the Arrow security model were informally shared between
+Arrow maintainers and have informed decisions for years, but they were left
+undocumented until now.
+
+Implementation-specific security considerations, such as proper API usage and
+runtime safety guarantees, will later be covered in the documentation of the
+respective implementations.
diff --git a/security.md b/security.md
@@ -6,9 +6,19 @@ description: Security
 
 # Reporting Security Issues
 
-Apache Arrow uses the standard process outlined by the [Apache Security Team](https://www.apache.org/security/) for reporting vulnerabilities. Note that vulnerabilities should not be publicly disclosed until the project has responded.
-
-To report a possible security vulnerability, please email [private@arrow.apache.org](mailto:private@arrow.apache.org).
+We take security seriously and would like our project to be as robust and
+dependable as possible. If you believe to have found a security bug, please do
+not file a public issue.
+
+First, please carefully read the Apache Arrow
+[Security Model](https://arrow.apache.org/docs/dev/format/Security.html)
+and understand its implications for untrusted data, as some apparent security
+issues can actually be usage issues.
+
+Second, please follow the standard [vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+outlined by the Apache Software Foundation. We will assess your report, follow
+up with our evaluation of the issue, and fix it as soon as possible if we deem
+it to be an actual security vulnerability.
 
 <hr class="my-5">