Standard for machine-readable abuse reports across the security industry
XARF v4 provides a unified, structured format for reporting cyber abuse incidents including spam, phishing, malware, network attacks, and more. Built for automation, integration, and industry-wide adoption.
XARF enables standardized abuse reporting between all major internet infrastructure providers:
- 🏢 Hosting Providers - Report compromised websites, malware hosting, phishing sites
- 🌐 Internet Service Providers (ISPs) - Network abuse, botnet infections, spam sources
- 📝 Domain Registrars - Malicious domain registrations, trademark violations
- 🗂️ Domain Registries - Registry-level abuse patterns, DNS security issues
- ☁️ Cloud Providers - Infrastructure abuse, compromised instances, malicious services
- 🔒 Security Vendors - Threat intelligence sharing, vulnerability disclosures
- 🏛️ Law Enforcement - Evidence collection, cross-jurisdiction reporting
# Install Python parser (Alpha)
pip install xarf-parser==4.0.0a1
# Parse a XARF report
from xarf import XARFParser
parser = XARFParser()
report = parser.parse(json_data)Complete XARF v4 Specification
- Technical documentation & schemas
- 30+ real-world sample reports
- Implementation guides
- Migration from XARF v3
Python Parser Library (Alpha)
- Parse & validate XARF v4 reports
- Type-safe Pydantic models
- Support for 3 core abuse classes
- PyPI package ready
| Class | Types | Examples |
|---|---|---|
| messaging | spam, phishing, social_engineering | Email spam, phishing emails, SMS abuse |
| connection | ddos, port_scan, login_attack | Network attacks, brute force, scanning |
| content | phishing_site, malware_distribution | Malicious websites, defaced pages |
| infrastructure | compromised_server, bot_infection | Compromised systems, botnets |
| copyright | dmca, trademark | IP infringement, brand violations |
| vulnerability | cve, open_service | Security flaws, misconfigurations |
| reputation | blocklist_entry, threat_intelligence | IOCs, threat data |
{
"xarf_version": "4.0.0",
"report_id": "uuid-v4",
"timestamp": "2024-01-01T12:00:00Z",
"reporter": {
"org": "Security Provider",
"contact": "abuse@example.com",
"type": "automated"
},
"source_identifier": "192.0.2.1",
"class": "messaging",
"type": "spam",
"evidence_source": "spamtrap",
"evidence": [...],
"tags": ["category:financial", "severity:high"]
}- 🔄 Standardized: Common format across security vendors
- 🤖 Automated: Built for machine processing & integration
- 🎯 Comprehensive: Covers all major abuse categories
- 📈 Scalable: Handles high-volume security operations
- 🔗 Interoperable: Works with existing security tools
- Core specification complete
- Python parser for 3 classes
- Sample data collection
- Community feedback integration
- Complete class coverage (all 7)
- JavaScript & Go parsers
- XARF v3 compatibility layer
- Advanced validation rules
- Production-ready performance
- SIEM integrations
- Industry pilot programs
- Conference presentations
- 📖 Documentation: Start with XARF v4 Specification
- 🐛 Issues: Report bugs or request features
- 💬 Discussions: Join our GitHub Discussions
- 🔧 Contribute: Submit pull requests or sample data
- Website: https://xarf.org
- Contact: contact@xarf.org
- License: MIT (commercial-friendly)
- Standards: Open specification, community-driven
Building the future of standardized abuse reporting 🚀