If you discover a security vulnerability in this project, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Instead, email the maintainers directly or use GitHub's private vulnerability reporting feature
3. Include a description of the vulnerability, steps to reproduce, and potential impact

We will acknowledge receipt within 48 hours and provide an estimated timeline for a fix.

This project processes government performance data. While it does not handle PII (Personally Identifiable Information) by design, please report any scenario where:

• Scripts could be made to execute arbitrary commands
• Data files could be crafted to cause injection attacks
• Output templates could enable XSS in rendered HTML
• Sensitive data could leak through error messages or logs

• All sample data in assets/ is synthetic or publicly available
• Scripts are designed to process aggregate performance metrics, not individual records
• HTML output in scorecard_renderer.py and dashboard generators should escape user-provided content
• SQL templates in data_quality_auditor.py are parameterized — review for injection risks

This project operates in compliance with Missouri's Sunshine Law (RSMo Chapter 610). All KPI data, benchmarks, and reports generated by this tool are designed to be public records. See references/missouri-legal-context.md for details.