| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
| < 1.0 | ❌ No |
DO NOT open a public issue for security vulnerabilities.
- Email: security@aral-standard.org
- Subject: [SECURITY] Brief description
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Stage | Timeframe |
|---|---|
| Acknowledgment | 24-48 hours |
| Initial assessment | 72 hours |
| Status update | 7 days |
| Resolution target | 30-90 days |
- Confirmation of receipt
- Assessment of severity (CVSS score)
- Regular updates on progress
- Credit in security advisory (if desired)
- Coordinated disclosure
In scope:
- ARAL specification vulnerabilities
- Reference implementation bugs
- JSON Schema validation bypasses
- Authentication/authorization flaws
Out of scope:
- Third-party implementations
- Social engineering
- Physical security
- Denial of service (unless critical)
We will not take legal action against researchers who:
- Act in good faith
- Avoid privacy violations
- Avoid data destruction
- Report promptly
- Allow reasonable time for fixes
When implementing ARAL:
- Always validate against JSON schemas
- Never trust L4 (Reasoning) output without L3 (Capabilities) verification
- Implement circuit breakers (ARAL-L6-003)
- Use secrets via vault references only (ARAL-S-080)
- Log all security events (ARAL-S-090)
- Security Team: security@aral-standard.org
- PGP Key: [Available on request]
© 2026 IbIFACE