Security and privacy are core to the mission of CommonsEngine.
We design and maintain our software with the conviction that technology must protect user agency, not compromise it.
This document explains how to report vulnerabilities, what to expect, and how we handle disclosures.
- Privacy is agency β safeguarding user data is a moral and technical priority.
- Transparency builds trust β issues are resolved openly whenever responsible to do so.
- Responsible disclosure β coordinated reporting prevents harm while ensuring accountability.
- No retaliation β good-faith research and reporting are always welcomed.
If you discover a security vulnerability in any CommonsEngine project:
-
Do not open a public issue or discussion.
-
Instead, send a detailed report to:
π§ mailtokasun[at]gmail.com (will replace with org address later)
Please include:
- Project and version affected
- Detailed description of the vulnerability
- Steps to reproduce or proof of concept
- Suggested mitigation (if known)
- Your contact information for follow-up
-
You will receive acknowledgment within 48 hours and a more detailed response within 5 business days.
This policy applies to all repositories under the CommonsEngine GitHub organization, including:
- Core infrastructure projects (e.g.
Sovereign,PaperTrail) - Documentation sites, deployment scripts, and SDKs
- Related containers, APIs, and integration tools
Security reports related to third-party dependencies should also be sent here β we will coordinate disclosure with the upstream maintainers.
- Triage β The report is reviewed by maintainers and stewards to verify impact.
- Mitigation β A fix or patch is prepared in a private branch.
- Coordinated release β Updates are pushed to public repos and announcements are made once users can upgrade safely.
- Acknowledgment β Researchers who responsibly disclose issues may be publicly credited (unless anonymity requested).
We aim to resolve and publicly disclose vulnerabilities within 30 days, though complex issues may require more time.
If disclosure deadlines must shift, we will communicate transparently with the reporter.
Security fixes are generally backported to the latest two minor versions of each actively maintained project.
Older versions may not receive updates but can be forked and patched by the community under the same open license.
If you wish to encrypt your report, request our current PGP public key via the security email above.
Encrypted communication is encouraged for all sensitive reports.
When a security issue is resolved, we will publish a Security Advisory in the affected repository using GitHubβs advisory system, detailing:
- The issue and its severity
- Versions affected and fixed
- Mitigation or upgrade instructions
- Acknowledgments (if applicable)
We welcome collaboration with independent security researchers, academic institutions, and civic-tech groups.
Testing within responsible boundaries β without exploiting or disclosing user data β is encouraged and appreciated.
CommonsEngine pledges no legal action against individuals who:
- Report vulnerabilities in good faith.
- Follow this policy and avoid harm.
- Respect privacy and data boundaries.
We see ethical security research as part of the commons itself.
CommonsEngine
Building the infrastructure for digital self-determination.
Powering the Digital Commons.