| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1.0 | No |
ClimateRiskIQ is early-stage software maintained by a single person. Only the
current 0.1.x line receives security fixes.
Please report security issues privately using GitHub's private vulnerability reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability.
- Describe the issue, the impact, and steps to reproduce.
Do not open a public issue for a security vulnerability, and please do not disclose it publicly until a fix is available.
There is intentionally no email contact. All security correspondence happens through GitHub's private advisory workflow so it stays on the record and associated with the repository.
This is a solo, best-effort project. There is no SLA. I will acknowledge and triage reports as soon as I reasonably can, prioritize confirmed issues by impact, and credit reporters who want credit once a fix ships.
A few defaults in this repository exist purely for local development and must be changed before any real deployment:
demo/demologin (LOCAL_AUTH_USERNAME/LOCAL_AUTH_PASSWORD) and theclimate/climatePostgreSQL credentials indocker-compose.ymlare local-development conveniences. Override every one of them in any environment that is reachable by anyone other than you.JWT_SIGNING_KEYis mandatory outsideDevelopment. Set a strong, random key. Do not run a non-development deployment without it.- Be aware of the current API surface. In this release the JWT login flow works
but no endpoint calls
.RequireAuthorization(), so the HTTP API is effectively open. Do not expose it to untrusted networks without putting your own authentication/authorization in front of it. Enforced endpoint authorization is on the roadmap (seeROADMAP.md). - The report-creation rate limit (30 requests/minute/IP) is in-memory and per-instance, not a shared/distributed limit. Do not rely on it as a security control across multiple instances.
ClimateRiskIQ is a rules-based screening tool built on free public data. It is explicitly not a validated catastrophe model and is not intended for underwriting, lending, or regulatory disclosure. Security reports about the software itself (auth, injection, secret handling, dependency issues) are in scope. The accuracy of upstream public datasets is not.