bharatgraph / SECURITY.md
abinazebinoy's picture
Merge branch 'main' into docs/readme-contributing-security-license
ebdca73 unverified
|
Raw
History Blame Contribute Delete
2.33 kB

Security Policy

Reporting a Vulnerability

Do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.

Use GitHub's private vulnerability reporting: Repository page > Security tab > Advisories > Report a vulnerability.

Include in your report:

  • Description of the vulnerability and its potential impact
  • The file or component affected
  • Steps to reproduce
  • Proof of concept code if applicable

You will receive an acknowledgement within 72 hours. Confirmed vulnerabilities targeting credentials, data exposure, or injection will be patched within 14 days.


Credential Security

No credentials are ever committed to this repository. The .env file is listed in .gitignore and must never be staged or committed.

The .env.example file contains only placeholder strings. If you discover that real credentials appear anywhere in the repository history, report it immediately. The affected credentials must be rotated before any other remediation step.

If a DataGov API key or Neo4j password is exposed:

  1. Rotate the credential immediately at the issuing service.
  2. Report the exposure via the private advisory process above.
  3. The repository history will be cleaned using git filter-repo.

Known Security Considerations

.env file: Contains the DataGov API key and Neo4j password. This file must not be shared, committed, or included in any archive uploaded to a public location. It is excluded by .gitignore.

Scraped data in data/: The data/raw/, data/samples/, and data/processed/ directories are git-ignored. They contain information from official public government filings. Do not commit these directories or share their contents outside a controlled research context.

Neo4j AuraDB: Uses TLS in transit. The free AuraDB instance requires a username and password. Use a strong randomly generated password. Rotate it if you believe it has been exposed.

GitHub Actions secrets: Repository secrets for NEO4J_URI, NEO4J_USER, NEO4J_PASSWORD, and DATAGOV_API_KEY must be configured in repository Settings > Secrets and Variables > Actions. Never echo secrets in workflow logs.


Supported Versions

Security fixes are applied to the current state of the main branch. Older commits are not patched separately.