Security

Last updated: December 2024

DataPass takes security seriously. This policy outlines our security practices and how to report vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability in DataPass, please report it responsibly:

How to Report

  1. Do not open a public GitHub issue for security vulnerabilities
  2. Email security@datapass.meetkai.ai with details
  3. Include steps to reproduce the issue
  4. Allow reasonable time for us to respond before public disclosure

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)
  • Your contact information (for follow-up)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 7 days
  • Resolution: Depends on severity; critical issues prioritized
  • Disclosure: Coordinated with reporter

Scope

The following are in scope for security reports:

  • The DataPass website (datapass.meetkai.ai)
  • The DataPass schema validator
  • The DataPass GitHub repository
  • Client-side tools (Builder, Validator, Schema Explorer)

Out of Scope

  • Third-party services linked from DataPass
  • Datasets referenced in the registry (contact dataset maintainers directly)
  • General feedback or feature requests (use GitHub Discussions)

Security Architecture

Static Site

DataPass is deployed as a static website, which provides inherent security benefits:

  • No server-side code execution
  • No database to compromise
  • No user authentication system to attack
  • No server-side sessions or state

Client-Side Processing

All interactive tools process data locally in the browser:

  • Validator: JSON validation runs entirely in-browser using Ajv
  • Builder: Form data never leaves the browser
  • Schema Explorer: Static JSON display

No user-submitted data is transmitted to DataPass servers.

Content Security

DataPass implements security headers including:

  • Content Security Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy

Registry Security

Submission Review

Data card submissions to the registry are reviewed before merging:

  • Automated schema validation
  • Manual review by maintainers
  • Verification of links and URLs

Content Guidelines

Data cards must not contain:

  • Malicious URLs or links to malware
  • Executable code or scripts
  • Personal data of individuals without consent
  • Illegal or harmful content

Dependencies

We maintain security of third-party dependencies through:

  • Regular dependency updates
  • Automated vulnerability scanning (Dependabot)
  • Minimal dependency footprint
  • Review of new dependencies before addition

Known Limitations

Users should be aware of these limitations:

Data Card Verification

DataPass validates that data cards conform to the schema, but does not verify:

  • Accuracy of claims made in data cards
  • Validity of licenses claimed
  • Availability or safety of linked datasets
  • Identity of data card submitters

Third-Party Links

Data cards may contain URLs to external resources. DataPass does not control these resources and cannot guarantee their safety or availability.

Incident Response

In the event of a security incident:

  1. Affected content will be removed or disabled immediately
  2. Investigation will determine scope and impact
  3. Affected parties will be notified as appropriate
  4. Post-incident review will identify improvements

Security Updates

Security updates and advisories will be published:

  • In the GitHub repository security advisories
  • On this page for policy updates

Contact

For security-related inquiries:

Acknowledgments

We thank the security researchers who have helped improve DataPass through responsible disclosure. Contributors will be acknowledged here with their permission.