We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take security vulnerabilities seriously. If you discover a security issue in XARF Python Parser, please report it responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, report security vulnerabilities by:
- Email: Send details to security@xarf.org
- Private Advisory: Use GitHub's private security advisory feature
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact assessment
- Any proof-of-concept code (if applicable)
- Your name/handle for credit (optional)
- Acknowledgment: Within 48 hours of report
- Initial Assessment: Within 5 business days
- Status Updates: Every 7 days until resolution
- Fix Timeline: Critical issues within 30 days, others within 90 days
- We will coordinate public disclosure with you
- Security advisories will be published after fixes are released
- We credit security researchers in advisories (unless you prefer to remain anonymous)
This project implements multiple security layers:
- CodeQL Analysis: Deep semantic security analysis (weekly + on PRs)
- Dependency Review: PR-based vulnerability scanning
- Dependabot: Automated dependency security updates
- Secret Scanning: Detects committed credentials
- Bandit: Python-specific security linter in CI
All pull requests must pass:
- Static security analysis (Bandit)
- Type safety checks (MyPy strict mode)
- Dependency vulnerability scans
- Code complexity limits (Radon)
Our codebase follows:
- Strict type hints for safety
- Input validation via Pydantic models
- No hardcoded credentials
- Principle of least privilege
- Regular dependency updates
When processing XARF reports:
- Input Validation: All reports are validated against JSON schema
- Email Parsing: Uses python-email-validator for safe email processing
- Date Handling: Uses python-dateutil for timezone-aware parsing
- No Code Execution: Parser does not execute any user-provided code
We actively monitor and update dependencies for security issues:
- Automated Dependabot updates for vulnerabilities
- Grouped minor/patch updates for development dependencies
- Individual PRs for production dependency major updates
Security updates are released as:
- Critical: Immediate patch release
- High: Patch release within 7 days
- Moderate: Included in next minor release
- Low: Included in next release cycle
Subscribe to GitHub Security Advisories for notifications.
We are committed to working with security researchers under responsible disclosure guidelines:
- Allow reasonable time for fixes before public disclosure
- Avoid privacy violations and data destruction
- Do not exploit vulnerabilities beyond proof-of-concept
- Respect user privacy and data protection regulations
We recognize security researchers who help improve our security:
For general inquiries or questions about this policy, contact: security@xarf.org