xarf · thevictorlopez · Mar 20, 2026 · Mar 11, 2026 · Mar 13, 2026 · Mar 13, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,116 +1,57 @@
 # Security Policy
 
-## Supported Versions
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.0.0   | :white_check_mark: |
-| 1.0.0-alpha.2 | :x: (upgrade to 1.0.0) |
-| 1.0.0-alpha.1 | :x: (upgrade to 1.0.0) |
-
 ## Reporting a Vulnerability
 
-We take security vulnerabilities seriously. If you discover a security issue in this project, please report it responsibly.
+The XARF project takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
 
 ### How to Report
 
-**DO NOT** open a public GitHub issue for security vulnerabilities.
-
-Instead, please email security details to: **security@xarf.org**
-
-Include the following information in your report:
-- Description of the vulnerability
-- Steps to reproduce the issue
-- Potential impact
-- Suggested fix (if available)
-
-### What to Expect
-
-- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours
-- **Assessment**: We will assess the severity and impact of the vulnerability
-- **Updates**: We will keep you informed of our progress toward a fix
-- **Disclosure**: Once a fix is available, we will coordinate disclosure timing with you
-
-## Security Best Practices
-
-When using the XARF JavaScript parser, follow these security best practices:
-
-### Input Validation
-
-1. **Always validate XARF reports** against the schema before processing
-2. **Sanitize all user-supplied data** before using it in XARF reports
-3. **Set size limits** on incoming reports to prevent memory exhaustion
-4. **Validate email addresses** and other contact information before use
-
-### Safe Parsing
-
-```javascript
-// Example: Safe parsing with error handling
-try {
-  const report = parser.parse(input);
-
-  // Validate against schema
-  if (!validator.validate(report)) {
-    throw new Error('Invalid XARF report structure');
-  }
-
-  // Process validated report
-  processReport(report);
-} catch (error) {
-  // Handle parsing errors securely
-  logger.error('Parsing failed', { error: error.message });
-  // Do not expose internal details to users
-}
-```
+**Please DO NOT report security vulnerabilities through public GitHub issues.**
 
-### Data Handling
+Instead, please report security vulnerabilities by emailing:
 
-1. **Do not log sensitive information** from XARF reports
-2. **Redact PII** when logging or storing reports
-3. **Use secure transport** (HTTPS/TLS) when transmitting reports
-4. **Encrypt sensitive data** at rest
+**security@abusix.com**
 
-### Dependency Management
+### What to Include
 
-1. **Regularly update dependencies** to patch known vulnerabilities
-2. **Use `npm audit`** to check for security issues
-3. **Review security advisories** for dependencies
-4. **Consider using lock files** (`package-lock.json`) for reproducible builds
+Please include the following information in your report:
 
-### Code Practices
+- Type of vulnerability or security concern
+- Affected specification version(s)
+- Detailed description of the security issue
+- Potential impact on implementations
+- Suggested mitigation or fix (if applicable)
 
-1. **Avoid eval()** and similar dynamic code execution
-2. **Use strict mode** (`"use strict"`)
-3. **Validate all inputs** before processing
-4. **Follow principle of least privilege** in code design
+### Response Timeline
 
-## Known Security Considerations
+- **Initial Response**: Within 48 hours
+- **Status Update**: Within 7 days
+- **Resolution**: Depends on severity and complexity
 
-### XARF Report Content
+### Security Update Process
 
-XARF reports may contain:
-- Email addresses and contact information
-- IP addresses and network data
-- Potentially malicious content samples
-- Sensitive abuse details
+1. **Triage**: We'll confirm the vulnerability and assess severity
+2. **Specification Review**: We'll review affected specification sections
+3. **Fix Development**: We'll develop and review proposed changes
+4. **Community Review**: We'll engage with implementation maintainers
+5. **Disclosure**: We'll coordinate disclosure timing with you
+6. **Publication**: We'll publish updated specification with security notes
 
-**Always treat XARF report content as untrusted user input.**
+## Vulnerability Disclosure Policy
 
-### Schema Validation
+We follow a **coordinated disclosure** model:
 
-While the parser validates structure, additional application-level validation may be required for:
-- Email address format verification
-- IP address range validation
-- URL safety checks
-- Content length restrictions
+1. **Private Disclosure**: Report sent to security@abusix.com
+2. **Acknowledgment**: We confirm receipt within 48 hours
+3. **Investigation**: We investigate with specification experts
+4. **Community Review**: We consult with implementation maintainers
+5. **Specification Update**: We publish updated specification
+6. **Public Disclosure**: We publish advisory 7 days after publication
 
-## Security Updates
+## Security Hall of Fame
 
-Security updates will be released as soon as possible after a vulnerability is confirmed and fixed. Updates will be announced through:
-- GitHub Security Advisories
-- Release notes
-- Project changelog
+We recognize security researchers who responsibly disclose vulnerabilities:
 
-## Acknowledgments
+<!-- Security researchers will be listed here -->
 
-We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Contributors who report valid security issues will be acknowledged (with their permission) in our security advisories.
+_No vulnerabilities reported yet._