Skip to content

Security: personamanagmentlayer/aral-standard

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.0.x ✅ Yes
< 1.0 ❌ No

Reporting a Vulnerability

DO NOT open a public issue for security vulnerabilities.

How to Report

  1. Email: security@aral-standard.org
  2. Subject: [SECURITY] Brief description
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

Response Timeline

Stage Timeframe
Acknowledgment 24-48 hours
Initial assessment 72 hours
Status update 7 days
Resolution target 30-90 days

What to Expect

  1. Confirmation of receipt
  2. Assessment of severity (CVSS score)
  3. Regular updates on progress
  4. Credit in security advisory (if desired)
  5. Coordinated disclosure

Scope

In scope:

  • ARAL specification vulnerabilities
  • Reference implementation bugs
  • JSON Schema validation bypasses
  • Authentication/authorization flaws

Out of scope:

  • Third-party implementations
  • Social engineering
  • Physical security
  • Denial of service (unless critical)

Safe Harbor

We will not take legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations
  • Avoid data destruction
  • Report promptly
  • Allow reasonable time for fixes

Security Best Practices

When implementing ARAL:

  1. Always validate against JSON schemas
  2. Never trust L4 (Reasoning) output without L3 (Capabilities) verification
  3. Implement circuit breakers (ARAL-L6-003)
  4. Use secrets via vault references only (ARAL-S-080)
  5. Log all security events (ARAL-S-090)

Contact


© 2026 IbIFACE

There aren't any published security advisories