This security policy is actively maintained by CivicTechWR organizers. It was last reviewed November 14, 2025 and is scheduled for review May 14, 2026.

If you discover a security vulnerability in this project template, please report it responsibly:

Email: civictechwr@gmail.com (mention "security" in the subject line) GitHub escalation: Mention @CivicTechWR/organizers on an issue or pull request if you need organizer attention. Response Time: Volunteers aim to acknowledge reports within 48 hours.

If you are using this template for your CivicTechWR project and discover a security issue:

1. Do not create a public GitHub issue.
2. Contact the project team directly through private channels, or email civictechwr@gmail.com if you are unsure who to reach.
3. Follow responsible disclosure by giving maintainers time to investigate and fix the issue before any public discussion.

• Clear description of the vulnerability
• Steps to reproduce the security issue
• Potential impact on users and community
• Suggested fix if you have ideas
• Your contact information for follow-up

1. Acknowledgment - We will confirm receipt within 48 hours.
2. Assessment - We will evaluate the severity and impact.
3. Fix development - We will work on a solution and share timelines when possible.
4. Disclosure - We will coordinate responsible disclosure with you.
5. Recognition - We will acknowledge your contribution if you would like.

• Plan security from the start by identifying data flows and trust boundaries in project docs or issues.
• Use secure coding practices throughout development and review contributions for potential risks.
• Enable automated scanning such as GitHub secret scanning, Dependabot alerts, and linting that focuses on security concerns.
• Review collaborator access quarterly and remove or reduce access for accounts that have not contributed recently to limit exposure from dormant accounts.
• Conduct security reviews before major releases or partner deployments.
• Onboard volunteers with guidance on handling sensitive community data.

• Report security issues responsibly by using the private channels listed above.
• Keep dependencies updated in your contributions to minimize known vulnerabilities.
• Follow security guidelines when contributing code or documentation.
• Respect user privacy when testing or providing feedback.

Civic tech projects often handle sensitive community data. Special considerations:

• Privacy by design - Minimize data collection.
• Transparency - Be clear about data use.
• Community consent - Get explicit permission for data collection when possible.
• Secure storage - Protect any collected data.
• Data retention - Delete data when no longer needed.

When working with government partners:

• Understand data classification so you know the sensitivity of information you handle.
• Follow compliance requirements aligned to the partner's standards.
• Use secure communication channels for sensitive discussions.
• Apply access controls to limit who can access government data.
• Maintain audit trails that log access to sensitive systems or records.

• CivicTechWR Contributing Guide - Collaboration and security expectations for contributors.
• GitHub secret scanning - Overview of GitHub's secret scanning capabilities.
• Dependabot alerts - Monitoring dependency vulnerabilities.

• OWASP Top Ten - Common web application security risks.
• Canadian Centre for Cyber Security - Government security guidance.
• Office of the Privacy Commissioner of Canada - Privacy law guidance.
• PIPEDA overview - Personal Information Protection and Electronic Documents Act resources.

• Primary channel: Email civictechwr@gmail.com (include context or repository name in the subject line).
• Slack escalation: Direct message the organizers or post in the private organizers channel if you already have access.
• GitHub escalation: Mention @CivicTechWR/organizers on the relevant issue or pull request to notify the organizers team.

The CivicTechWR security group is volunteer-run and does not maintain a formal SLA. We address reports as quickly as the team is available and will coordinate next steps once someone has acknowledged the issue. If a report seems urgent, use every channel above and add "URGENT" in the subject or message so we can prioritize it when a volunteer is online.

We believe in recognizing security researchers who help improve civic technology:

• Responsible disclosure contributors will be acknowledged
• Security hall of fame for significant contributions
• Reference letters for security researchers (upon request)
• Community recognition at Demo Day or community meetings

CivicTechWR projects support security research conducted in good faith:

• Authorized testing - Security research on our public systems is permitted
• No legal action - We won't pursue legal action for good faith security research
• Coordinated disclosure - We'll work with you on responsible disclosure timelines

• Don't access user data - Only test with your own accounts/data
• Don't disrupt service - Avoid testing that could impact users
• Respect privacy - Don't access personal information
• Report responsibly - Follow our disclosure process
• Give us time - Allow reasonable time for fixes before public disclosure

Questions about this security policy?

Contact us through:

• CivicTechWR community meetings - Weekly Wednesday sessions noted on Luma.
• GitHub Discussions - For general security questions that do not contain sensitive details.
• Direct contact - Email civictechwr@gmail.com for sensitive security matters.

This policy applies to:

• The CivicTechWR project template repository
• Projects created using this template (each project should customize this policy)
• Community-contributed resources and documentation

This security policy is part of our commitment to building safe, trustworthy civic technology that serves our community responsibly.