This CivicTechWR project template is actively maintained. Security updates are provided for:
| Version | Supported |
|---|---|
| Latest | ✅ |
| Previous | ❌ |
If you discover a security vulnerability in this project template, please report it responsibly:
Email: [security@civictechwr.org] (if available) or project maintainers Response Time: We aim to respond within 48 hours
If you're using this template for your CTWR project and discover a security issue:
- Do NOT create a public GitHub issue
- Contact the project team directly through private channels
- Follow responsible disclosure - give teams time to fix issues
- Clear description of the vulnerability
- Steps to reproduce the security issue
- Potential impact on users and community
- Suggested fix if you have ideas
- Your contact information for follow-up
- Acknowledgment - We'll confirm receipt within 48 hours
- Assessment - We'll evaluate the severity and impact
- Fix Development - We'll work on a solution
- Disclosure - We'll coordinate public disclosure with you
- Recognition - We'll acknowledge your contribution (if desired)
- Review the Security Guide before starting development
- Use secure coding practices throughout development
- Enable automated security scanning in your repository
- Follow the Gitleaks Response Guide whenever the secret scanning workflow reports a finding
- Conduct security reviews before major releases
- Train team members on civic tech security considerations
- Report security issues responsibly - Don't create public issues for vulnerabilities
- Keep dependencies updated - Regularly update project dependencies
- Follow security guidelines when contributing code
- Respect user privacy when testing or providing feedback
CivicTech projects often handle sensitive community data. Special considerations:
- Privacy by design - Minimize data collection
- Transparency - Be clear about data use
- Community consent - Get explicit permission for data collection
- Secure storage - Protect any collected data
- Data retention - Delete data when no longer needed
When working with government partners:
- Understand data classification - Know sensitivity levels
- Follow compliance requirements - Meet government security standards
- Secure communication - Use encrypted channels for sensitive discussions
- Access controls - Limit who can access government data
- Audit trails - Log access to sensitive information
- Security Guide - Comprehensive security documentation
- Technical Design - Security architecture guidance
- Contributing Guidelines - Security requirements for contributors
- OWASP Top 10 - Common web application security risks
- Canadian Centre for Cyber Security - Government security resources
- Privacy Commissioner of Canada - Privacy law guidance
- PIPEDA - Personal Information Protection and Electronic Documents Act
- Primary channels: email
civictechwr@gmail.com, post in the private organizers channel, or send a direct message in the CTWR Slack workspace - GitHub escalation: mention
@CivicTechWR/organizerson the relevant issue or pull request to notify the organizers team
The CivicTechWR security group is volunteer-run and does not maintain a formal SLA. We address reports as quickly as the team is available and will coordinate next steps once someone has acknowledged the issue. If a report seems urgent, use every channel above and add “URGENT” in the subject or message so we can prioritize it when a volunteer is online.
We believe in recognizing security researchers who help improve civic technology:
- Responsible disclosure contributors will be acknowledged
- Security hall of fame for significant contributions
- Reference letters for security researchers (upon request)
- Community recognition at Demo Day or community meetings
CivicTechWR projects support security research conducted in good faith:
- Authorized testing - Security research on our public systems is permitted
- No legal action - We won't pursue legal action for good faith security research
- Coordinated disclosure - We'll work with you on responsible disclosure timelines
- Don't access user data - Only test with your own accounts/data
- Don't disrupt service - Avoid testing that could impact users
- Respect privacy - Don't access personal information
- Report responsibly - Follow our disclosure process
- Give us time - Allow reasonable time for fixes before public disclosure
Questions about this security policy?
Contact us through:
- CTWR Community Meetings - Weekly Wednesday meetings
- GitHub Discussions - For general security questions
- Direct Contact - For sensitive security matters
This policy applies to:
- The CivicTechWR project template repository
- Projects created using this template (each project should customize this policy)
- Community-contributed resources and documentation
This security policy is part of our commitment to building safe, trustworthy civic technology that serves our community responsibly.