Please do not report security vulnerabilities through public GitHub issues.
Use GitHub private vulnerability reporting when it is available for this repository:
https://github.com/Open-Syria/website/security/advisories/new
If private vulnerability reporting is not available, contact the project maintainers privately through the OpenSyria organization.
Include enough detail for maintainers to reproduce and assess the issue:
- affected route, page, component, command, workflow, or dependency,
- impact and likely severity,
- reproduction steps,
- relevant non-sensitive logs,
- affected version, branch, or commit,
- whether the issue is already public.
Do not include secrets, private tokens, private infrastructure URLs, personal data, or restricted data in the report.
Security reports can include:
- dependency vulnerabilities,
- cross-site scripting or unsafe rendering,
- unsafe request handling,
- CORS or security-header misconfiguration,
- deployment hardening issues,
- CI or supply-chain weaknesses,
- accidental exposure of secrets or private data.
Dataset record corrections, missing records, source disagreements, and website content corrections are not security reports unless they expose private, personal, restricted, military, or surveillance-related information.
Please give maintainers reasonable time to investigate and prepare a fix before public disclosure.