Security
This page documents the security policy for AIMO Standard, including vulnerability reporting and disclosure procedures.
Scope
In Scope
- Validator reference implementation (
validator/) - Build and release tooling (
tooling/) - JSON schemas (
schemas/) - Documentation website infrastructure
Out of Scope
- Specification content (normative text is not a security artifact)
- Adopter implementations using AIMO Standard
- External dependencies (report to upstream maintainers)
Supported Versions
| Version | Supported |
|---|---|
| latest (dev) | Yes |
| Tagged releases (vX.Y.Z) | Yes (latest 2 minor versions) |
| Older releases | No (upgrade recommended) |
Reporting a Vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Process
- Report privately via GitHub's private vulnerability reporting
- Include: description, reproduction steps, affected versions, impact
- Allow time for assessment and fix development
Timeline
| Phase | Timeline |
|---|---|
| Acknowledgment | 72 hours |
| Initial assessment | 7 days |
| Coordinated disclosure | 90 days max |
Disclosure Policy
- Vulnerabilities are reported privately
- Fixes are developed before public disclosure
- Security advisories are published after fixes are available
- Reporters are credited (unless anonymity requested)
Security Measures
- CI/CD checks on all changes
- Signed releases with SHA-256 checksums
- Mandatory PR review before merge
Full Policy
See SECURITY.md for the complete security policy.
Related Pages
- Trust Package — Auditor-ready materials
- Governance — Project governance