Only the latest release on the main branch receives security updates.
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Use GitHub Security Advisories to report privately
- Include steps to reproduce, affected components, and potential impact
We will acknowledge reports within 7 days and aim to release a fix within 30 days for confirmed vulnerabilities.
This project serves publicly available government water data. It does not store user accounts, passwords, or personally identifiable information. The primary security surface is:
- HTTP security headers (CSP, X-Frame-Options, Referrer-Policy)
- Input validation on URL parameters
- SQLite query parameterisation
- Upstream API request handling
- Vulnerabilities in upstream government APIs
- Issues requiring physical access to the deployment server
- Social engineering attacks