This CivicTechWR project template is actively maintained. Security updates are provided for:

If you discover a security vulnerability in this project template, please report it responsibly:

Email: [security@civictechwr.org] (if available) or project maintainers Response Time: We aim to respond within 48 hours

If you're using this template for your CTWR project and discover a security issue:

1. Do NOT create a public GitHub issue
2. Contact the project team directly through private channels
3. Follow responsible disclosure - give teams time to fix issues

• Clear description of the vulnerability
• Steps to reproduce the security issue
• Potential impact on users and community
• Suggested fix if you have ideas
• Your contact information for follow-up

1. Acknowledgment - We'll confirm receipt within 48 hours
2. Assessment - We'll evaluate the severity and impact
3. Fix Development - We'll work on a solution
4. Disclosure - We'll coordinate public disclosure with you
5. Recognition - We'll acknowledge your contribution (if desired)

• Review the Security Guide before starting development
• Use secure coding practices throughout development
• Enable automated security scanning in your repository
• Follow the Gitleaks Response Guide whenever the secret scanning workflow reports a finding
• Conduct security reviews before major releases
• Train team members on civic tech security considerations

• Report security issues responsibly - Don't create public issues for vulnerabilities
• Keep dependencies updated - Regularly update project dependencies
• Follow security guidelines when contributing code
• Respect user privacy when testing or providing feedback

CivicTech projects often handle sensitive community data. Special considerations:

• Privacy by design - Minimize data collection
• Transparency - Be clear about data use
• Community consent - Get explicit permission for data collection
• Secure storage - Protect any collected data
• Data retention - Delete data when no longer needed

When working with government partners:

• Understand data classification - Know sensitivity levels
• Follow compliance requirements - Meet government security standards
• Secure communication - Use encrypted channels for sensitive discussions
• Access controls - Limit who can access government data
• Audit trails - Log access to sensitive information

• Security Guide - Comprehensive security documentation
• Technical Design - Security architecture guidance
• Contributing Guidelines - Security requirements for contributors

• OWASP Top 10 - Common web application security risks
• Canadian Centre for Cyber Security - Government security resources
• Privacy Commissioner of Canada - Privacy law guidance
• PIPEDA - Personal Information Protection and Electronic Documents Act

• Primary channels: email civictechwr@gmail.com, post in the private organizers channel, or send a direct message in the CTWR Slack workspace
• GitHub escalation: mention @CivicTechWR/organizers on the relevant issue or pull request to notify the organizers team

The CivicTechWR security group is volunteer-run and does not maintain a formal SLA. We address reports as quickly as the team is available and will coordinate next steps once someone has acknowledged the issue. If a report seems urgent, use every channel above and add “URGENT” in the subject or message so we can prioritize it when a volunteer is online.

We believe in recognizing security researchers who help improve civic technology:

• Responsible disclosure contributors will be acknowledged
• Security hall of fame for significant contributions
• Reference letters for security researchers (upon request)
• Community recognition at Demo Day or community meetings

CivicTechWR projects support security research conducted in good faith:

• Authorized testing - Security research on our public systems is permitted
• No legal action - We won't pursue legal action for good faith security research
• Coordinated disclosure - We'll work with you on responsible disclosure timelines

• Don't access user data - Only test with your own accounts/data
• Don't disrupt service - Avoid testing that could impact users
• Respect privacy - Don't access personal information
• Report responsibly - Follow our disclosure process
• Give us time - Allow reasonable time for fixes before public disclosure

Questions about this security policy?

Contact us through:

• CTWR Community Meetings - Weekly Wednesday meetings
• GitHub Discussions - For general security questions
• Direct Contact - For sensitive security matters

This policy applies to:

• The CivicTechWR project template repository
• Projects created using this template (each project should customize this policy)
• Community-contributed resources and documentation

This security policy is part of our commitment to building safe, trustworthy civic technology that serves our community responsibly.