Security Policy

DataPass takes security seriously. This policy outlines our security practices and how to report vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability in DataPass, please report it responsibly:

How to Report

1. Do not open a public GitHub issue for security vulnerabilities
2. Email security@datapass.meetkai.ai with details
3. Include steps to reproduce the issue
4. Allow reasonable time for us to respond before public disclosure

What to Include

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information (for follow-up)

Response Timeline

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution: Depends on severity; critical issues prioritized
• Disclosure: Coordinated with reporter

Scope

The following are in scope for security reports:

• The DataPass website (datapass.meetkai.ai)
• The DataPass schema validator
• The DataPass GitHub repository
• Client-side tools (Builder, Validator, Schema Explorer)

Out of Scope

• Third-party services linked from DataPass
• Datasets referenced in the registry (contact dataset maintainers directly)
• General feedback or feature requests (use GitHub Discussions)

Security Architecture

Static Site

DataPass is deployed as a static website, which provides inherent security benefits:

• No server-side code execution
• No database to compromise
• No user authentication system to attack
• No server-side sessions or state

Client-Side Processing

All interactive tools process data locally in the browser:

• Validator: JSON validation runs entirely in-browser using Ajv
• Builder: Form data never leaves the browser
• Schema Explorer: Static JSON display

No user-submitted data is transmitted to DataPass servers.

Content Security

DataPass implements security headers including:

• Content Security Policy (CSP)
• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy

Registry Security

Submission Review

Data card submissions to the registry are reviewed before merging:

• Automated schema validation
• Manual review by maintainers
• Verification of links and URLs

Content Guidelines

Data cards must not contain:

• Malicious URLs or links to malware
• Executable code or scripts
• Personal data of individuals without consent
• Illegal or harmful content

Dependencies

We maintain security of third-party dependencies through:

• Regular dependency updates
• Automated vulnerability scanning (Dependabot)
• Minimal dependency footprint
• Review of new dependencies before addition

Known Limitations

Users should be aware of these limitations:

Data Card Verification

DataPass validates that data cards conform to the schema, but does not verify:

• Accuracy of claims made in data cards
• Validity of licenses claimed
• Availability or safety of linked datasets
• Identity of data card submitters

Third-Party Links

Data cards may contain URLs to external resources. DataPass does not control these resources and cannot guarantee their safety or availability.

Incident Response

In the event of a security incident:

1. Affected content will be removed or disabled immediately
2. Investigation will determine scope and impact
3. Affected parties will be notified as appropriate
4. Post-incident review will identify improvements

Security Updates

Security updates and advisories will be published:

• In the GitHub repository security advisories
• On this page for policy updates

Contact

For security-related inquiries:

• Security Reports: security@datapass.meetkai.ai
• General Questions: GitHub Discussions

Acknowledgments

We thank the security researchers who have helped improve DataPass through responsible disclosure. Contributors will be acknowledged here with their permission.