Security Policy

GovLens takes the security of our platform and the privacy of our users seriously.

Reporting a Vulnerability

If you discover a security vulnerability in GovLens, please report it responsibly:

  • Email: security@govlens.eu
  • Do not disclose the vulnerability publicly until we have had a chance to address it
  • We aim to acknowledge reports within 48 hours
  • We aim to provide a fix within 7 days for critical issues

Scope

The following are in scope for security reports:

  • govlens.eu and all subdomains
  • The GovLens API (api.govlens.eu)
  • Authentication and session management
  • Citizen data privacy and encryption
  • Position voting integrity

Our Commitments

  • We will not take legal action against researchers who report vulnerabilities responsibly
  • We will acknowledge your contribution (unless you prefer to remain anonymous)
  • We will publish a post-mortem within 72 hours of resolving critical vulnerabilities
  • We maintain a public anomaly transparency log at /transparency/anomalies

Data Protection

Citizen identity and voting positions are stored in separate database schemas with no direct foreign key relationship. The link between identity and positions uses a one-way HMAC that requires a server-side secret to compute. See our Privacy Policy for full details.

Last updated: March 2026