The XARF project takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

security@abusix.com

Please include the following information in your report:

• Type of vulnerability or security concern
• Affected specification version(s)
• Detailed description of the security issue
• Potential impact on implementations
• Suggested mitigation or fix (if applicable)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution: Depends on severity and complexity

1. Triage: We'll confirm the vulnerability and assess severity
2. Specification Review: We'll review affected specification sections
3. Fix Development: We'll develop and review proposed changes
4. Community Review: We'll engage with implementation maintainers
5. Disclosure: We'll coordinate disclosure timing with you
6. Publication: We'll publish updated specification with security notes

We follow a coordinated disclosure model:

1. Private Disclosure: Report sent to security@abusix.com
2. Acknowledgment: We confirm receipt within 48 hours
3. Investigation: We investigate with specification experts
4. Community Review: We consult with implementation maintainers
5. Specification Update: We publish updated specification
6. Public Disclosure: We publish advisory 7 days after publication

We recognize security researchers who responsibly disclose vulnerabilities:

No vulnerabilities reported yet.