Vulnerability disclosure Β· Severity SLAs Β· Compliance posture Β· Accepted risks
π Responsible disclosure Β· π¨ 48h ack Β· βοΈ ISO 27001 / NIS2 / EU CRA aligned Β· π€ Coordinated public credit
π Document Owner: CEO | π Version: 1.1 | π Last Updated: 2026-04-27 (UTC) π Review Cycle: Quarterly | β° Next Review: 2026-07-27 | π·οΈ Classification: Public
This Security Policy documents how to report vulnerabilities in the EU Parliament Monitor platform, the severity-based remediation SLAs we commit to, the compliance frameworks we align with, and the accepted residual risks we explicitly carry. It is the public face of the broader SECURITY_ARCHITECTURE.md and operates under the Hack23 ISMS Vulnerability Management Policy.
π Sister policies: SECURITY_ARCHITECTURE.md (C4 controls + threat model) Β· THREAT_MODEL.md (STRIDE for software-security context) Β· CRA-ASSESSMENT.md (EU Cyber Resilience Act conformity) Β· CLASSIFICATION.md (CIA triad + BCP impact bands).
This project is under active development. Security updates are provided for the latest released version only. Always upgrade to the most recent release for security fixes.
| π·οΈ Version | π‘οΈ Supported | π EOL |
|---|---|---|
latest (main) |
β Active | β |
| Older releases | β End of life | Upgrade required |
We take the security of the EU Parliament Monitor project seriously. If you discover a potential vulnerability, please report it privately so we can assess and remediate before public disclosure.
| Category | Examples |
|---|---|
| π Injection | XSS, HTML injection, Markdown-it sanitization bypass |
| π Auth/Authz | OIDC misconfiguration, GitHub Actions secret leakage |
| π¦ Supply chain | Insecure dependencies, compromised vendored bundle (Mermaid/Chart.js/D3) |
| π Data exposure | Sensitive data exposure, GDPR boundary violation |
| βοΈ Misconfiguration | Insecure defaults, CSP bypass, S3/CloudFront exposure |
| β Validation | Insufficient input validation in MCP payload handling |
- Visit github.com/Hack23/euparliamentmonitor
- Click the Security tab β Advisories β Report a vulnerability
- Fill in: description, reproduction steps, potential impact, suggested mitigation
- Submit β maintainers are notified privately and you become a collaborator on the advisory
| Channel | Address | Use when |
|---|---|---|
| π GitHub Advisory | Report here | Default β preferred |
| π§ Email | security@hack23.com | GitHub unavailable; subject line [SECURITY] EU Parliament Monitor β <brief description> |
Upon receipt of a vulnerability report:
| Phase | Target | Action |
|---|---|---|
| π΅ Acknowledge | β€ 48 hours | Confirm receipt and assign internal handler |
| π‘ Validate | β€ 7 days | Reproduce, classify CVSS severity, assign CVE if applicable |
| π’ Remediate | Per SLA below | Develop, test, and release patch or mitigation |
| π£ Publish | After patch | Coordinated public advisory with reporter credit |
Per the Hack23 ISMS Vulnerability Management Policy:
| π¦ Severity | CVSS v3.1 | β° Remediation SLA | π Description |
|---|---|---|---|
| π΄ Critical | 9.0 β 10.0 | 7 days | Immediate threat, active exploitation possible |
| π High | 7.0 β 8.9 | 30 days | Significant security impact |
| π‘ Medium | 4.0 β 6.9 | 90 days | Moderate security impact |
| π’ Low | 0.1 β 3.9 | Best effort | Minimal security impact |
We employ multiple defence-in-depth layers, all wired into CI/CD:
| π¬ Layer | Tool | Trigger |
|---|---|---|
| π οΈ SAST | CodeQL | Push, PR, weekly schedule |
| π¦ SCA | Dependabot + npm audit |
Daily, PR validation |
| β Unit security tests | Vitest (β₯80% coverage) | Every commit |
| π DAST | Playwright + axe-core (accessibility-as-security) | PR + nightly |
| π Supply chain | OpenSSF Scorecard + SLSA L3 attestations | Weekly + on release |
| π License compliance | REUSE | Push, PR, weekly |
π See SECURITY_ARCHITECTURE.md Β§ Security Testing for full coverage details.
- π° News generation scripts (
scripts/) - π’ Analysis-artifact aggregator (
src/aggregator/**βartifact-order.ts,clean-artifact.ts,analysis-aggregator.ts,markdown-renderer.ts,article-html.ts,article-metadata.ts,article-generator.tsCLI) - π§Ή HTML sanitiser (
src/utils/html-sanitize.ts) and themarkdown-itrender pipeline with explicit plugin allowlist (markdown-it-anchor,markdown-it-footnote,markdown-it-attrs,markdown-it-deflist) - π MCP clients (
src/mcp/**β European Parliament, IMF, World Bank) including thegetVotingRecordsWithFallback()three-state fallback to the EP Open Data Portal - π§ Committed analysis artifacts under
analysis/daily/**(attack surface for aggregator rendering) - π¨ Vendored client-side diagram renderer (
js/vendor/mermaid/etc.) under strictscript-src 'self'CSP - π HTML templates and rendered output (
news/*.html, language variants) - π€ GitHub Actions and gh-aw agentic workflows (
.github/workflows/news-*.mdβ 8 unifiednews-<type>.md+news-translate.md) - βοΈ AWS S3 + CloudFront deployment pipeline (
deploy-s3.yml, OIDCGithubWorkFlowRole) - π¦ Dependencies and supply chain (OpenSSF Scorecard + SLSA L3 provenance + SBOM)
- π Third-party services (GitHub, European Parliament APIs, IMF SDMX REST, World Bank Open Data)
- ποΈ Infrastructure (AWS account-level, GitHub Pages hosting as fallback runbook)
- π₯οΈ Client-side browser vulnerabilities not under platform control
| Channel | What you get |
|---|---|
| π Release notes | Reporter credit (with consent) |
| π Security advisory | Public acknowledgment in the GHSA |
| π Public GitHub recognition | Credit on the advisory page (unless anonymity requested) |
| π Security Hall of Fame | Repeat or high-impact contributors considered |
We respect anonymity requests β opt out at any point in the disclosure flow.
EU Parliament Monitor aligns with the following frameworks. Evidence is traceable through ISMS-PUBLIC, the SECURITY_ARCHITECTURE compliance matrix, and the CRA-ASSESSMENT conformity table.
| ποΈ Framework | π Scope | π Evidence |
|---|---|---|
| ISO 27001:2022 | Information security management | SECURITY_ARCHITECTURE Β§ Compliance Matrix |
| NIST CSF 2.0 | Identify Β· Protect Β· Detect Β· Respond Β· Recover | SECURITY_ARCHITECTURE Β§ NIST CSF |
| CIS Controls v8.1 | 18 critical security controls | CodeQL, Dependabot, npm audit, SBOM |
| GDPR | Data minimisation, purpose limitation | EP open data only, no profiling |
| NIS2 | Article 20β21 cybersecurity risk management | THREAT_MODEL.md (STRIDE software context) |
| EU Cyber Resilience Act | SBOM, vulnerability disclosure, Annex I/V | CRA-ASSESSMENT.md, SLSA provenance |
| OWASP Top 10 | Web-app security best practices | Same-origin CSP, sanitised rendering |
| Metric | Target | Current |
|---|---|---|
π’ Known vulnerabilities (npm audit) |
0 production | 0 (2 documented dev-only accepted risks β see below) |
| π’ Code coverage with security tests | β₯ 80 % line | 82 %+ |
| π’ Dependency-scanning coverage | 100 % | 100 % |
| π’ CodeQL critical/high findings | 0 | 0 |
| π’ OpenSSF Scorecard | β₯ 7.0 | Live score |
| π’ SLSA build level | L3 | Attestations |
π See SECURITY_ARCHITECTURE.md Β§ Security Metrics for trend data.
The following advisories are detected by npm audit and explicitly allow-listed in .github/workflows/test-and-report.yml (Security Check job). Both are dev-only and do not reach end-user runtime:
| π GHSA | π¦ Package | π¦ Severity | π Path | π Justification |
|---|---|---|---|---|
GHSA-2g4f-4pwh-qvx6 |
ajv (via ESLint) |
π‘ Moderate (ReDoS) | devDep | ESLint does not invoke ajv with the $data option; only triggered on attacker-controlled JSON schemas, which we never feed it. Resolves with the ESLint 10 upgrade. |
GHSA-w5hq-g745-h8pq |
uuid <14.0.0 (via mermaid) |
π‘ Moderate (buffer bounds) | devDep | mermaid is a build-time-only dependency. Library is vendored to js/vendor/mermaid/ and renders diagrams from analyst-authored Markdown that has passed the Stage-C completeness gate; user input never reaches uuid.v3/v5/v6 with an attacker-controlled buf argument. The site is fully static β no server-side mermaid execution. |
β οΈ Drift guard: ifnpm auditreports any GHSA outside this list, the Security Check job MUST fail. Allow-listing requires a pull request that updates this table and the workflow allow-list together.
| Resource | Link |
|---|---|
| π‘οΈ Threat model | SECURITY_ARCHITECTURE Β§ Threat Model |
| π Security controls | SECURITY_ARCHITECTURE Β§ Security Controls |
| π Incident response | Hack23 ISMS Incident Response Plan |
| π Vulnerability management | Hack23 ISMS Vulnerability Management |
| ποΈ Information security policy | Hack23 ISMS Information Security Policy |
| π οΈ Secure development policy | Hack23 ISMS Secure Development Policy |
| π Threat modelling policy | Hack23 ISMS Threat Modeling |
| π Classification framework | Hack23 ISMS Classification |
| βοΈ EU CRA conformity assessment | CRA-ASSESSMENT.md |
EU Parliament Monitor is part of the broader Hack23 civic-tech and security portfolio:
| ποΈ Project | π― Focus | π Link |
|---|---|---|
| π Hack23 Homepage | Organisation site, ISMS hub | hack23.com Β· Hack23/homepage |
| π ISMS-PUBLIC | Public ISO 27001 / NIST CSF / CIS / GDPR / NIS2 / EU CRA policies | Hack23/ISMS-PUBLIC |
| π European Parliament MCP Server | TypeScript MCP server with 60+ EP open-data tools | Hack23/European-Parliament-MCP-Server |
| πΈπͺ Riksdag Monitor | Swedish Parliament monitor (sister project) | Hack23/riksdagsmonitor |
| π΅οΈ CIA | Swedish Parliament intelligence platform (Java/Spring) | Hack23/cia |
| β CIA Compliance Manager | CIA-triad compliance dashboard (TypeScript) | Hack23/cia-compliance-manager |
| π₯ Black Trigram | Korean martial-arts game with security focus | Hack23/blacktrigram |
| Channel | Use for |
|---|---|
| π GitHub Security Advisory | Vulnerabilities (preferred) |
| βοΈ security@hack23.com | Vulnerabilities (alternative) |
| π GitHub Issues | Non-security bugs and feature requests |
| π¬ GitHub Discussions | Q&A, design discussions |
| π§ info@hack23.com | General inquiries |
| π€ conduct@hack23.com | Code of Conduct concerns |
π Thank you for helping us keep EU Parliament Monitor and its users safe. Your contributions to our security posture are deeply appreciated.
Maintained by Hack23 AB β Intelligence Operations Team under the Hack23 ISMS framework.