If you discover a security vulnerability in this repository, please do not open a public GitHub issue. Instead, report it privately by emailing info@civicdatalab.in with the subject line [SECURITY] risk-score-model-generic.
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (if available)
- Any suggested fix or mitigation
We will acknowledge your report within 5 business days and aim to resolve confirmed vulnerabilities within 30 days. We will credit reporters in the release notes unless you request otherwise.
This repository contains:
- Python scripts for risk-score computation
- TOML configuration files
- Sample tabular data (administrative-unit aggregates, no personal data)
- Administrative boundary utilities
Security concerns relevant to this scope include: dependency vulnerabilities, unsafe handling of user-supplied configuration, and unintended exposure of data in sample files.
This repository does not include a web service, API, authentication layer, or database. Operators who deploy this model as part of a larger system are responsible for securing their own infrastructure.
The model operates exclusively on administrative-unit aggregates — statistics at the level of districts, blocks, revenue circles, or villages. Input variables include rainfall measurements, inundation extents, population totals, infrastructure counts, recorded damage figures (deaths, affected persons, crop loss), and government expenditure.
It does not collect, store, or process personally identifiable information (PII) about individuals at any point in the pipeline.
Several input datasets carry their own terms of use (for example, government tender portals or commercial map services). Operators deploying this model are responsible for ensuring that their use of upstream data complies with the relevant terms and with applicable data-protection law in their jurisdiction — including, in the Indian context, the Digital Personal Data Protection Act, 2023.
The sample dataset shipped in data/ contains aggregated figures derived from publicly available government sources for the state of Assam. It does not contain individual-level records.
Risk scores produced by this model are relative classifications (1–5) at the administrative-unit level. Operators publishing these scores should be mindful of:
- Not using low-risk classifications to justify withdrawal of services or preparedness investment in areas with sparse damage-reporting infrastructure.
- Disclosing the input data, configuration, and any local methodological adjustments alongside published outputs so that scores are auditable.
This project's Python dependencies are listed in requirements.txt. We recommend periodically auditing them for known CVEs using tools such as pip-audit or safety.
pip install pip-audit
pip-audit -r requirements.txtFor security or privacy concerns, contact CivicDataLab at info@civicdatalab.in.