Please do not report security vulnerabilities or sensitive data exposure through public GitHub issues.
Use GitHub private vulnerability reporting when it is available for this repository:
https://github.com/Open-Syria/data-geography/security/advisories/new
If private vulnerability reporting is not available, contact the project maintainers privately through the OpenSyria organization.
Include enough detail for maintainers to reproduce and assess the issue:
- affected file, script, workflow, dependency, or dataset record,
- impact and likely severity,
- reproduction steps,
- relevant non-sensitive logs,
- affected version, branch, or commit,
- whether the issue is already public.
Do not include secrets, private tokens, private infrastructure URLs, personal data, restricted data, or sensitive operational details in the report.
Security reports can include:
- dependency vulnerabilities,
- unsafe scripts or workflows,
- path traversal or file-read issues,
- CI or supply-chain weaknesses,
- accidental exposure of secrets or private data,
- sensitive data appearing in dataset records,
- unsafe publication of restricted, military, checkpoint, surveillance, or operational-sensitive information.
If a dataset record contains sensitive or unsafe information, report it privately.
Examples:
- private addresses or personal contact details,
- data that identifies private individuals,
- security, military, checkpoint, surveillance, or operational-sensitive locations,
- restricted source material accidentally imported into the repository.
Normal data corrections, missing records, source disagreements, and naming disputes should use public issue forms.
Please give maintainers reasonable time to investigate and prepare a fix before public disclosure.