Thank you for helping keep Civic Interconnect safe and trustworthy.
We support responsible disclosure and appreciate reports made in good faith.
This policy applies to:
- security issues in our repositories (Python, Node, TypeScript, or schema files)
- dependency vulnerabilities or unsafe configurations
- incorrect handling of tokens, secrets, or CI workflows
- potential manipulation of provenance mechanisms or ptag.json files
The following are not in scope:
- issues with external civic datasets or public APIs
- political or policy disagreements
- general bugs that do not pose a security risk
- vulnerabilities in third-party tools or libraries
Please report security concerns privately using GitHub's Private Vulnerability Report feature:
- Navigate to the repository where the issue exists.
- Go to Security / Report a vulnerability.
- Submit the details privately.
This ensures the issue is not publicly visible while it is being reviewed.
If the repository does not support this feature, you may also open a confidential GitHub Security Advisory draft.
We aim to:
- acknowledge receipt of your report within 5 business days
- provide an initial assessment within 10 business days
- prepare fixes or further investigation as appropriate
When possible, we will credit reporters for responsible disclosure.
We welcome good-faith security research.
If you follow this policy and do not intentionally cause harm, we are unlikely to pursue legal action.
Thank you for supporting the integrity of Civic Interconnect projects.