If you discover a security vulnerability in any AZ Civic Tools project, please report it responsibly.

Email: alex@log.vin

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix or mitigation: As soon as possible, depending on severity

This policy covers:

• The Cactus Watch bill tracker (API and frontend)
• The authentication service at auth.cactus.watch
• The District Finder tool
• Any other tools in this repository

• Denial of service attacks
• Social engineering
• Issues in third-party dependencies (report those upstream, but let us know so we can update)

We ask that you give us reasonable time to fix the issue before public disclosure. We will credit you in the fix commit unless you prefer to remain anonymous.