If you discover a security vulnerability in this specification, please report it responsibly.

If you find a security flaw in the specification itself (e.g., a cryptographic weakness, a design flaw that could be exploited), please:

1. Do not open a public issue
2. Email greg.vonnessi@entrolution.ai with details
3. Allow reasonable time for the issue to be addressed before public disclosure

If you find a security issue in the reference implementation (cdx-core), please report it in that repository's security advisories.

This security policy covers:

• The Codex Document Format specification
• JSON schemas in this repository
• Example documents in this repository

The specification includes several security-relevant sections:

• Document Hashing (spec/core/06-document-hashing.md) - Content integrity
• State Machine (spec/core/07-state-machine.md) - Document lifecycle security
• Security Extension (spec/extensions/security/) - Signatures and encryption

When implementing the specification, pay particular attention to these sections.