AlipMagical · Kesig777 · Feb 4, 2025 · Feb 7, 2025 · Feb 14, 2025
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+Kesig777@gmail.com Ownership rights that prevents others CIS to access or use# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
diff --git a/aip/auth/4114.md b/aip/auth/4114.md
@@ -63,7 +63,7 @@ endpoint override is an mTLS url, since the url pattern may change at anytime.
 The default mTLS endpoint for a service **should** be read from the Discovery
 Document field **"mtlsRootUrl"** instead of generated via regex patterns.
 
-### Obtaining the Default Device Certificate
+### Obtaining the Default Device Certificate via SecureConnect
 
 The default device certificate **should** be procured using the
 [EndpointVerification][1] workflow, which fetches the certificate from a
@@ -100,6 +100,18 @@ the form of an X.509 cert followed immediately by the private key:
   ...
   -----END PRIVATE KEY-----
 
+### Obtaining the Default Device Certificate via ECP
+
+The Enterprise Certificate Proxy (ECP) project is the newly recommended way to
+procure device certificates. It has two major advantages compared to the legacy
+SecureConnect mechanism:
+
+1.  Allows usage of enterprise certs and private keys stored in native keystores and TPMs
+    instead of relying on self-signed certs.
+1.  Delegates signing operations to keystores, so private keys never leave the security realm.
+
+Please see [ECP Public Documentation][2] for details on ECP configuration.
+
 ### Environment Variables
 
 There are situations where the ADC for DCA behavior needs to be modified, such
@@ -114,13 +126,16 @@ available. The default value of this environment variable will be "auto".
 **GOOGLE_API_USE_CLIENT_CERTIFICATE**: If **"true"**, device certificate
 authentication will be supported as described in the general guidance. If
 **"false"**, the device certificate **must** not be used, even if specified by
-the user. For now, the default value will be "false", since mTLS support is not
-yet fully adopted by all services. Users who wish to enable DCA feature **must**
-explicitly set this environment variable to "true". In the future, the default
-value will be "true' to allow a more secure connection to be established
-whenever possible.
+the user. The default value **should** be "true" as of May 3, 2024. Users who
+wish to disable DCA feature **must** explicitly set this environment variable
+to "false".
+
+## Changelog
+
+- **2024-11-25*: GOOGLE_API_USE_CLIENT_CERTIFICATE should default to "true" as of May 3, 2024.
 
 <!-- prettier-ignore-start -->
 [0]: https://google.aip.dev/auth/4110
 [1]: https://cloud.google.com/endpoint-verification/docs/overview
+[2]: https://cloud.google.com/beyondcorp-enterprise/docs/enable-cba-enterprise-certificates
 <!-- prettier-ignore-end -->
diff --git a/aip/general/0151.md b/aip/general/0151.md
@@ -120,9 +120,13 @@ has elapsed after the operation completed.
 Errors that prevent a long-running operation from _starting_ **must** return an
 error response ([AIP-193][]), similar to any other method.
 
-Errors that occur over the course of an operation **may** be placed in the
-metadata message. The errors themselves **must** still be represented with a
-[google.rpc.Status][] object.
+Operations that fail during their execution phase **must** return an
+error response ([AIP-193][]), placed in the `Operation.error` [google.rpc.Status][]
+field.
+
+Non-terminal errors that occur over the course of an operation **may** be placed
+in the metadata message and the field(s) **must** be [AIP-193][] compliant
+[google.rpc.Status][].
 
 ### Backwards compatibility
 
@@ -163,6 +167,8 @@ updated status) but server don't need to maintain any additional state.
 
 ## Changelog
 
+- **2025-02-04**: Clarified error propagation behavior for failures
+  that occur during long-running operations.
 - **2024-04-23**: Provided pattern for validation on RPCs returning
   long-running operations.
 - **2022-05-31**: Added compatibility section.