๐ก๏ธ Security Through Transparency and Vulnerability Management
๐ฏ Defense-in-Depth Architecture for Democratic Intelligence
๐ Document Owner: CEO | ๐ Version: 1.0 | ๐
Last Updated: 2026-02-20 (UTC)
๐ Review Cycle: Quarterly | โฐ Next Review: 2026-05-20
๐ข Owner: Hack23 AB (Org.nr 5595347807) | ๐ท๏ธ Classification: Public
This security policy establishes vulnerability disclosure and incident response procedures for Riksdagsmonitor, implementing Vulnerability Management and Incident Response Plan from Hack23 AB's ISMS framework.
Our security approach demonstrates our commitment to transparency and operational excellence, ensuring that vulnerabilities are managed systematically with documented response times and coordinated disclosure processes.
โ James Pether Sรถrling, CEO/Founder
This project is under active development, and we provide security updates for the latest version only.
| Version | Supported | ISMS Policy |
|---|---|---|
| latest | โ | Vulnerability Management |
Riksdagsmonitor maintains strong security practices as documented in our Security Architecture:
- โ Static Site Architecture โ No server-side code execution, no database vulnerabilities
- โ HTTPS-Only โ TLS 1.3 via AWS CloudFront and GitHub Pages
- โ Automated Security Scanning โ CodeQL, Dependabot, Secret Scanning
- โ Supply Chain Security โ SHA-pinned GitHub Actions, step-security/harden-runner
- โ Multi-Region Availability โ AWS CloudFront (us-east-1 primary, eu-west-1 replica) with GitHub Pages DR
- โ SLSA Build Provenance โ Attestation for build integrity
- โ Content Integrity โ Subresource Integrity (SRI) for CDN assets
- โ Security Headers โ CSP, HSTS, X-Frame-Options, X-Content-Type-Options
Evidence:
We take the security of Riksdagsmonitor seriously. If you have found a potential security vulnerability, we kindly ask you to report it privately, so that we can assess and address the issue before it becomes publicly known.
A vulnerability is a weakness or flaw in the project that can be exploited to compromise the security, integrity, or availability of the system or its data. Examples include, but are not limited to:
- Cross-site scripting (XSS) in generated content
- Insecure external resource loading
- Exposed secrets or credentials
- Supply chain vulnerabilities in dependencies
- Content injection through data pipelines
The following components are within the disclosure scope and welcome responsible-disclosure reports:
- Static site โ all HTML/CSS/JS served from
/and/dashboard/and/news/. - News generation pipeline:
scripts/aggregate-analysis.tsโ concatenatesanalysis/daily/$DATE/$SUB/artifacts intoarticle.md+ SHA-256 manifest.scripts/render-articles.tsโ markdown โ sanitised HTML pipeline.scripts/render-lib/โ shared chrome (header, footer, language switcher, JSON-LDNewsArticleshell) and therehype-sanitizeallow-list.scripts/validate-news-translations.tsโ translation-completeness validator.
- Index generators โ
scripts/generate-sitemap*.ts,scripts/generate-rss.ts,scripts/generate-news-indexes.ts,scripts/generate-political-intelligence.ts. - Agentic workflows โ 11 workflows in
.github/workflows/news-*.md+ their compiled.lock.ymlpeers, plus the non-agentic CI/CD pipelines in.github/workflows/. - MCP configuration โ
.github/copilot-mcp.jsonand per-workflowmcp-servers:blocks.
- On GitHub.com, navigate to the main page of the riksdagsmonitor repository.
- Under the repository name, click Security.
- In the left sidebar, under "Reporting", click Advisories.
- Click Report a vulnerability to open the advisory form.
- Fill in the advisory details form with as much information as possible.
- At the bottom of the form, click Submit report.
Upon receipt of a vulnerability report, our team will:
- Acknowledge the report within 48 hours
- Validate the vulnerability within 7 days
- Develop and release a patch or mitigation within 30 days (depending on complexity and severity)
- Publish a security advisory with a detailed description of the vulnerability and the fix
We appreciate your effort in helping us maintain a secure project. If your report results in a confirmed security fix, we will recognize your contribution in the release notes, unless you request to remain anonymous.
Riksdagsmonitor's security practices are part of Hack23 AB's comprehensive Information Security Management System (ISMS):
| ๐ก๏ธ Policy | ๐ Application to Riksdagsmonitor |
|---|---|
| Vulnerability Management | 48h response SLA, coordinated disclosure process |
| Incident Response Plan | P1-P4 incident classification, escalation procedures |
| Secure Development Policy | Security testing requirements, code review standards |
| Information Security Policy | Overall security governance framework |
| Network Security Policy | HTTPS-only, TLS 1.3, CDN security |
| Cryptography Policy | TLS configuration, SRI hashes |
- ๐ก๏ธ Security Architecture: SECURITY_ARCHITECTURE.md โ Defense-in-depth controls
- ๐ฏ Threat Model: THREAT_MODEL.md โ STRIDE analysis, MITRE ATT&CK mapping
- ๐ฎ Future Security: FUTURE_SECURITY_ARCHITECTURE.md โ Security roadmap
- ๐ง CI/CD Security: WORKFLOWS.md โ Pipeline security controls
- ๐ก๏ธ Security Architecture โ System security design
- ๐ฏ Threat Model โ Comprehensive threat analysis
- ๐ฎ Future Security Architecture โ Security roadmap
- ๐๏ธ Architecture โ System architecture (C4 models)
- ๐ง Workflows โ CI/CD pipeline documentation
- ๐ค Contributing Guidelines โ Secure contribution process
- ๐ Code of Conduct โ Community standards
- ๐ README โ Project overview and classification
- ๐ Information Security Policy
- ๐ Vulnerability Management
- ๐จ Incident Response Plan
- ๐ ๏ธ Secure Development Policy
๐ Document Control:
โ
Approved by: James Pether Sรถrling, CEO
๐ค Distribution: Public
๐ท๏ธ Classification:
๐
Effective Date: 2026-02-20
โฐ Next Review: 2026-05-20
๐ฏ Framework Compliance: 
Effective: 2026-04-24 ยท Authoritative hub:
analysis/imf/README.mdยทanalysis/imf/agentic-integration.mdยทanalysis/imf/indicators-inventory.jsonยทanalysis/imf/data-dictionary.mdยท.github/aw/ECONOMIC_DATA_CONTRACT.md
Riksdagsmonitor consumes public, anonymous, unauthenticated macro/fiscal/monetary statistics from the IMF Datamapper REST API (www.imf.org/external/datamapper/api/v1) and the IMF SDMX 3.0 endpoint (sdmxcentral.imf.org). No personal data, no credentials, no auth tokens are exchanged with the IMF. The IMF integration is therefore out of scope for GDPR DPIA but in scope for this security policy as a third-party dependency.
| Control | Implementation |
|---|---|
| Transport | HTTPS-only ยท TLS 1.3 ยท pinned hostnames in egress allow-list |
| Integrity | SHA-256 payload pin per (dataflow, indicator, country, vintage); supersedes-chain in cache |
| Vintage discipline | Reject payloads >6 months old without staleness annotation (ECONOMIC_DATA_CONTRACT v2.1) |
| Rate-limit guard | โค30 req/min self-imposed; exponential back-off |
| Supply chain | scripts/imf-*.ts reviewed in-repo; no dynamic eval; harden-runner egress audit |
| Licence | Attribution-required; auto-emitted in article footer template |
If you discover a vulnerability in our IMF integration (e.g., cache integrity bypass, vintage substitution, egress allow-list breakout), follow the standard vulnerability-disclosure flow above. IMF data is public, so confidentiality breaches are not a concern; integrity and availability are the relevant attack surfaces.
Egress hosts (allow-list): www.imf.org (Datamapper REST ยท WEO/FM), sdmxcentral.imf.org (SDMX 3.0 REST ยท IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR). Both HTTPS-only, anonymous, public โ no credentials required.
Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo โ annotation).