Security Policy

Reporting Vulnerabilities

If you discover a security vulnerability in any civic-source project, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, use GitHub Security Advisories to report the vulnerability privately. Navigate to the affected repository's Security tab and click "Report a vulnerability."

What We Consider Security Issues

XML entity expansion (XXE) in document parsing
Path traversal in file generation
Credential or secret exposure
Dependency vulnerabilities with known exploits
CI/CD pipeline injection vectors

Response Timeline

We aim to acknowledge security reports within 48 hours and provide a fix or mitigation plan within 7 days for critical issues.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

SECURITY.md

Security Policy

Reporting Vulnerabilities

What We Consider Security Issues

Response Timeline

There aren’t any published security advisories

Security: civic-source/.github

Security

SECURITY.md

Security Policy

Reporting Vulnerabilities

What We Consider Security Issues

Response Timeline

There aren’t any published security advisories