ChronalLabs is committed to maintaining a secure, responsible, and trustworthy open-source ecosystem.
Given the civic and public-impact nature of our tools, security, privacy, and ethical integrity are core priorities.

This document outlines how security vulnerabilities should be reported and handled.

As ChronalLabs evolves as a modular ecosystem, active security support applies to:

Security patches will only be applied to actively maintained branches.

If you discover a security vulnerability, please do not open a public issue.

Instead, report it privately using one of the following methods:

Primary Contact:

• Email: security@chronallabs.org (replace with official email when available)

If email is not yet active:

• Contact the maintainers directly via GitHub private message.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Affected modules or components
• Potential impact assessment
• Suggested remediation (if available)

Providing a Proof-of-Concept (PoC) is helpful but not required.

We aim to follow responsible disclosure practices:

• Acknowledgment: Within 48 hours
• Initial assessment: Within 5–7 days
• Patch development: Based on severity
• Public disclosure: After patch release (coordinated)

Critical vulnerabilities affecting citizen data, policy systems, or AI-generated outputs will receive highest priority.

ChronalLabs includes systems that may process:

• User-generated civic drafts
• Resume documents (PDF/DOCX parsing)
• Geolocation data (NeedNearby, Climate Assistance)
• Calendar authentication tokens (Learning Planner Pro)
• Policy evaluation inputs (CIVISIM)

We prioritize security practices in:

• Input validation
• File parsing safety
• API authentication and token handling
• Secure OAuth2 implementation
• Rate limiting
• Role-based access control
• Data minimization principles
• Dependency monitoring

Some ChronalLabs modules use AI systems. We actively monitor for:

• Prompt injection vulnerabilities
• Data leakage risks
• Model hallucination risks in civic drafting
• Abuse of automated generation systems
• Unintended policy misinterpretation

All AI outputs are explicitly marked as drafts and require human verification.

We encourage:

• Regular dependency updates
• Use of vulnerability scanners
• Static analysis tools
• Secure environment variable management
• HTTPS enforcement in deployments
• Proper secrets handling in CI/CD pipelines

Contributors must never commit:

• API keys
• OAuth tokens
• Private credentials
• Production database URLs
• Access secrets of any kind

ChronalLabs follows these guiding principles:

• Data minimization
• No unnecessary long-term storage of personal data
• Transparent user disclosure
• Avoiding collection of sensitive data unless absolutely required
• Clear separation between user input and system output

Once a vulnerability is:

• Confirmed
• Patched
• Reviewed

We will publish a responsible disclosure note including:

• Description of the issue
• Severity classification
• Affected versions
• Remediation steps
• Credit to the reporter (if desired)

We value ethical security research.

Researchers who responsibly disclose vulnerabilities may be acknowledged in:

• Repository credits
• Release notes
• Security advisory sections

We will not pursue legal action against researchers who:

• Act in good faith
• Avoid data exploitation
• Avoid service disruption
• Provide reasonable time for remediation
• Do not publicly disclose before patch release

Security is an ongoing process.

As ChronalLabs grows into a broader civic-tech ecosystem, this policy will evolve to:

• Introduce formal threat modeling
• Establish security review processes
• Adopt secure SDLC practices
• Align with best practices in civic and public-sector technology

ChronalLabs builds decision-support civic systems.
Security, integrity, and public trust are foundational to our mission.

If you believe something can be improved — please tell us.

Together, we build secure civic infrastructure.