| Version | Supported |
|---|---|
| main | ✅ |
We take security seriously, especially given that this project handles research data about communities.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- Email: Contact the repository owner directly
- GitHub Security Advisories: Use the "Security" tab to report privately
- Type of vulnerability
- Full paths of source file(s) related to the issue
- Steps to reproduce
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Dependent on severity
- Acknowledgment of your report
- Assessment of the vulnerability
- Plan for addressing the issue
- Credit in the fix (unless you prefer to remain anonymous)
- All data used is publicly available (CDC PLACES, USDA FARA, Census)
- No personally identifiable information (PII) is collected or stored
- Census tract data is aggregated at the population level
- The application follows OWASP security guidelines
- Dependencies are regularly scanned for vulnerabilities
- API endpoints are rate-limited and validated
The following are in scope for security reports:
- The web application at resilience-mapping.fly.dev
- API endpoints
- Data processing pipelines
- Authentication/authorization issues
The following are out of scope:
- Denial of service attacks
- Social engineering
- Physical security
- Issues in third-party services
Thank you for helping keep this research platform secure.