Skip to main content
Tools for Democracy
ToolsThe ProblemResourcesFAQAboutRequest a Demo

Tools for Democracy

Knowledge infrastructure for governments that want to fix themselves. Built by Cory Weinstein.

Capabilities

  • Knowledge Capture
  • Confidence Monitor
  • Structured Reasoning
  • Cross-Domain Connector
  • After-Action Review
  • Policy Analyzer

Company

  • About
  • The Problem
  • All Tools
  • Resources
  • Case Studies
  • Request a Demo

Legal

  • Privacy Policy
  • Terms of Service
  • Accessibility
  • Security
© 2026 Tools for Democracy LLC. All rights reserved.

Security Disclosure Policy

Effective April 2, 2026

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any Tools for Democracy software product, please report it to:

cory@toolsfordemocracy.us

Encrypted communication available upon request (PGP public key provided on contact).

Do not report security vulnerabilities through public GitHub issues, forums, or social media.

What to Include

To help us investigate and respond efficiently, please provide:

Description

A clear explanation of the vulnerability and its potential impact.

Affected Product & Version

Which package(s) and version(s) are affected.

Steps to Reproduce

Detailed instructions or a proof-of-concept that demonstrates the issue.

Environment Details

Python version, operating system, and any relevant configuration.

Response Timeline

StepTarget
Acknowledgment of reportPromptly
Initial assessment and status update10 business days
Fix development and testingDepends on severity
Coordinated disclosure90 days from initial report

Severity-Based Fix Targets

CRITICAL

Remote code execution, data exfiltration. Patch within 7 days.

HIGH

Privilege escalation, auth bypass. Patch within 30 days.

MEDIUM

Information disclosure, denial of service. Patch within 60 days.

LOW

Cosmetic, informational. Next scheduled release.

Coordinated Disclosure

We follow a 90-day coordinated disclosure timeline. We ask that reporters:

  1. Allow us 90 days from the date of the initial report to develop and release a fix before any public disclosure.
  2. Make a good-faith effort to avoid accessing or modifying data that does not belong to you.
  3. Avoid disruption to production systems during testing.

If we are unable to resolve the issue within 90 days, we will coordinate with the reporter on an appropriate disclosure timeline.

Safe Harbor

We value the security research community and commit to working with researchers in good faith.

Tools for Democracy LLC will not pursue legal action against individuals who:

  • Report vulnerabilities in good faith and in compliance with this policy.
  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • Do not publicly disclose the vulnerability before the coordinated disclosure date.

This safe harbor applies to legal claims under our control (e.g., breach of contract, computer fraud). It does not bind third parties or government agencies.

Scope

This policy covers all software products published by Tools for Democracy LLC:

In Scope

  • tfd-knowledge-capture
  • tfd-confidence-monitor
  • tfd-structured-reasoning
  • tfd-cross-domain
  • tfd-after-action
  • tfd-policy-analyzer

Out of Scope

  • Third-party dependencies not maintained by us
  • Customer-modified versions (unless the bug exists in the unmodified release)
  • Social engineering attacks against staff
  • Physical security of customer environments

Recognition

We appreciate security researchers who help us keep our software safe. With your permission, we will acknowledge your contribution in our release notes. We do not currently operate a paid bug bounty program.

Contact

Security reports: cory@toolsfordemocracy.us

General support: cory@toolsfordemocracy.us

Web: toolsfordemocracy.us

Found something?

Responsible disclosure helps everyone. Report vulnerabilities and we'll work with you to fix them.

Report a Vulnerability