This repository contains the normative XF (Cross-Framework Architecture Model) specification and complementary documentation. Only the most recent published version of the spec receives security-related corrections.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Although this repo ships documents (not executable code), we still want to hear about issues that affect users — for example, malicious links, script injection in rendered pages, supply-chain problems with the CI workflows, or content that could mislead implementers in a security- sensitive way.
Please do not file a public GitHub issue for security reports.
Instead, use one of:
- GitHub private vulnerability reporting (preferred) — go to the repository's Security tab and click "Report a vulnerability". This opens a private advisory only visible to the maintainers.
- Email —
security@xfarch.org(PGP key on request).
We aim to acknowledge reports within 72 hours and to provide an initial assessment within 7 days. Once a fix is ready we coordinate a disclosure date with the reporter and credit the reporter in the published advisory unless they prefer to remain anonymous.
In scope:
- The contents of
xfa-es.tex,XFA-RULES.md, and any other published spec artefact. - Workflows under
.github/workflows/(link-check, markdown lint). - The static site published from this repo (when applicable).
Out of scope:
- Third-party services we link to.
- Issues that require an attacker to already control the maintainer's GitHub account.