Update security model

[wgtmac]

What changes were proposed in this pull request?

This PR adds a new "Threat Model" section to the project's Security documentation (site/security/index.md).
The new section outlines:

1. The trusted vs. untrusted data boundaries for the orc library.
2. The distinction between robustness issues (e.g., crashes or Out-Of-Bounds reads caused by maliciously fuzzed files) and actual security vulnerabilities.
3. The responsibilities of the low-level parsing library versus the data ingestion layer.

Why are the changes needed?

This update is needed to align Apache ORC's security threat model with other foundational data format libraries like Apache Arrow.

The community occasionally receives reports from fuzzing tools regarding crashes, OOMs, or memory issues caused by parsing maliciously corrupted files. This documentation clarifies our stance: because orc is a low-level format library designed for trusted environments, parsing malformed files that cause a crash (without leading to Remote Code Execution or bypassing a defined security boundary) is considered a normal software bug (a robustness issue) rather than a security vulnerability (CVE).

This will help avoid overwhelming maintainers with non-exploitable CVEs and set clear expectations for security researchers.

How was this patch tested?

This is a documentation-only change updating the website Markdown. No functional code changes were introduced.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Gemini 3.1 Pro

[dongjoon-hyun]

+1, LGTM.

[wgtmac]

Thank you, @dongjoon-hyun!