We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| Latest | β Yes |
| < Latest | β No |
Please do NOT report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in this project, please report it responsibly:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the vulnerability report form with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
If you prefer, you can email the maintainers directly. Please include:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
After you submit a vulnerability report:
- Acknowledgment: We'll acknowledge receipt within 48 hours
- Assessment: We'll assess the vulnerability and determine its severity
- Updates: We'll keep you informed of our progress
- Fix: We'll work on a fix and coordinate disclosure timing with you
- Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)
This project follows these security practices:
- Dependencies are regularly updated via Dependabot
- Security advisories are monitored and addressed promptly
- Only trusted, well-maintained packages are used
- No sensitive user data is collected or stored
- All data sources are from trusted, official organizations
- Data is served over HTTPS only
- Code is reviewed before merging
- ESLint is used to catch potential issues
- No secrets or API keys are committed to the repository
- Deployed on Cloudflare Pages with automatic HTTPS
- Content Security Policy headers configured
- Regular security scans performed
This project relies on data from the Global Carbon Budget (Zenodo). We:
- Verify data source URLs use HTTPS
- Document data provenance clearly
- Implement automated data updates with validation
As a client-side application:
- No server-side processing of user input
- No authentication or user accounts
- No cookies or local storage of sensitive data
- All external API calls are to trusted sources only
We kindly ask that you:
- Give us reasonable time to address the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
For security-related questions that are not vulnerabilities, please open a GitHub Discussion.
Last Updated: November 2025