Skip to content

Security: xops-labs/ClimateRiskIQ

Security

SECURITY.md

Security Policy

Supported versions

Version Supported
0.1.x Yes
< 0.1.0 No

ClimateRiskIQ is early-stage software maintained by a single person. Only the current 0.1.x line receives security fixes.

Reporting a vulnerability

Please report security issues privately using GitHub's private vulnerability reporting:

  1. Go to the repository's Security tab.
  2. Click Report a vulnerability.
  3. Describe the issue, the impact, and steps to reproduce.

Do not open a public issue for a security vulnerability, and please do not disclose it publicly until a fix is available.

There is intentionally no email contact. All security correspondence happens through GitHub's private advisory workflow so it stays on the record and associated with the repository.

Response expectations

This is a solo, best-effort project. There is no SLA. I will acknowledge and triage reports as soon as I reasonably can, prioritize confirmed issues by impact, and credit reporters who want credit once a fix ships.

Deployment hardening notes

A few defaults in this repository exist purely for local development and must be changed before any real deployment:

  • demo/demo login (LOCAL_AUTH_USERNAME / LOCAL_AUTH_PASSWORD) and the climate/climate PostgreSQL credentials in docker-compose.yml are local-development conveniences. Override every one of them in any environment that is reachable by anyone other than you.
  • JWT_SIGNING_KEY is mandatory outside Development. Set a strong, random key. Do not run a non-development deployment without it.
  • Be aware of the current API surface. In this release the JWT login flow works but no endpoint calls .RequireAuthorization(), so the HTTP API is effectively open. Do not expose it to untrusted networks without putting your own authentication/authorization in front of it. Enforced endpoint authorization is on the roadmap (see ROADMAP.md).
  • The report-creation rate limit (30 requests/minute/IP) is in-memory and per-instance, not a shared/distributed limit. Do not rely on it as a security control across multiple instances.

Scope

ClimateRiskIQ is a rules-based screening tool built on free public data. It is explicitly not a validated catastrophe model and is not intended for underwriting, lending, or regulatory disclosure. Security reports about the software itself (auth, injection, secret handling, dependency issues) are in scope. The accuracy of upstream public datasets is not.

There aren't any published security advisories