The Planetary Restoration Archive Education project prioritizes the safety and security of educators, students, and contributors. We take all security concerns seriously, especially those that could impact educational environments and student well-being.

Please report any vulnerabilities or security concerns including:

• Vulnerabilities in code or documentation that could compromise user safety
• Privacy concerns with educational content or data handling
• Potential risks to student data protection or safety
• Issues with AI integration that could cause harm or inappropriate content generation
• Authentication or authorization problems
• Social engineering vulnerabilities in community processes
• Third-party dependency vulnerabilities

Do NOT create public issues for security vulnerabilities.

Instead, please email us at: security@planetaryrestorationarchive.com

Your report should include:

• Detailed description of the vulnerability
• Steps to reproduce the issue (if applicable)
• Potential impact on educational environments and users
• Any suggested fixes or mitigation strategies
• Your contact information for follow-up questions

We are committed to addressing security concerns promptly:

• Acknowledgment: Within 24 hours of receiving your report
• Initial Assessment: Within 72 hours with preliminary impact evaluation
• Status Updates: Weekly updates on resolution progress
• Resolution: Within 2 weeks for critical issues, 4 weeks for moderate issues

We actively maintain security for the following versions:

Educational institutions should implement these security measures:

• Review all AI-generated content before classroom use to ensure appropriateness
• Maintain strict student privacy protections when using AI tools
• Keep sensitive educational data separate from AI systems and cloud services
• Conduct regular reviews of third-party integrations and tools
• Establish clear data retention and deletion policies for student work
• Train staff on recognizing and reporting security concerns
• Implement access controls for educational technology systems

Students should follow these safety guidelines:

• Never share personal information (full name, address, phone number) with AI systems
• Understand when and how AI is being used in your learning activities
• Report any uncomfortable, inappropriate, or concerning AI interactions immediately
• Maintain clear authorship and ownership of your creative work
• Use strong, unique passwords for any educational platforms
• Be cautious about downloading or installing educational software

Technical contributors must adhere to secure development practices:

• Follow secure coding practices and conduct code reviews
• Validate and sanitize all user inputs to prevent injection attacks
• Use encryption for any sensitive data transmission or storage
• Implement proper authentication and authorization mechanisms
• Keep dependencies updated and monitor for known vulnerabilities
• Use environment variables for sensitive configuration data
• Follow the principle of least privilege in system access

We adhere to comprehensive privacy protection standards:

• FERPA: Full compliance with Family Educational Rights and Privacy Act
• COPPA: Enhanced protections for students under 13 years of age
• GDPR: Complete compliance for international users and data processing
• State Privacy Laws: Adherence to applicable state-level educational privacy requirements

• Collect only data that is essential for educational functionality
• Implement automatic data expiration and deletion policies
• Provide clear opt-out mechanisms for all data collection
• Regular audits of data collection and usage practices

• Student inputs to AI systems are not used for model training
• AI interactions are logged minimally and deleted regularly
• Clear disclosure of all AI data processing activities
• Student consent mechanisms for AI-enhanced learning activities

Critical (Severity 1)

• Student safety or privacy compromised
• Unauthorized access to educational records
• Malicious content generation affecting multiple users
• System compromise affecting core functionality

High (Severity 2)

• Potential privacy violations
• Significant functionality disruption
• Authentication or authorization failures
• Data integrity concerns

Medium (Severity 3)

• Minor privacy concerns
• Limited functionality issues
• Non-critical security improvements needed

For each incident classification, we implement structured response procedures including stakeholder notification, containment measures, investigation protocols, and recovery plans. Educational institutions using our resources will be notified immediately of any incidents that could affect their environments.

• Regular security assessments and penetration testing
• Encrypted communication channels for all data transmission
• Secure hosting environments with industry-standard protections
• Regular backup and disaster recovery testing

• Input validation and output encoding to prevent injection attacks
• Session management and authentication controls
• Regular dependency scanning and updates
• Automated security testing in development pipelines

• Review processes for all educational content before publication
• Monitoring systems for inappropriate or harmful content generation
• Version control and audit trails for all content modifications
• Community reporting mechanisms for content concerns

We carefully evaluate all third-party services and tools:

• Privacy policy compliance with educational standards
• Security certifications and audit reports
• Data processing and storage locations
• Incident response capabilities and notification procedures

• Minimal data sharing with external services
• Clear terms of service that protect educational use
• Regular security reviews of integrated tools
• Alternative options provided when possible

• Regular security awareness content for educators
• Student digital citizenship resources
• Developer security training materials
• Incident reporting and response guidance

• Quarterly security training for maintainers
• Annual third-party security assessments
• Regular review and updates of security policies
• Community feedback integration for security enhancements

• Primary Contact: security@planetaryrestorationarchive.com
• Response Time: Within 24 hours for initial acknowledgment
• Escalation: Available for critical issues affecting student safety

• Technical Support: support@planetaryrestorationarchive.com
• Community Discussion: GitHub Discussions platform
• Office Hours: Fridays 4-5 PM EST for real-time consultation

For urgent security concerns that pose immediate risk to student safety or privacy, contact our security team directly with "URGENT SECURITY" in the subject line. Critical issues receive immediate attention regardless of normal business hours.

We believe in recognizing security researchers and community members who help improve our security posture:

• Public acknowledgment in our security advisories (with permission)
• Contributor recognition in project documentation
• Priority consideration for community leadership roles
• Reference letters for professional or academic purposes

We welcome collaboration with academic institutions and security research organizations. Contact us to discuss responsible research partnerships that benefit the broader educational technology community.

Security is a collective responsibility. Every educator, student, and contributor plays a vital role in maintaining a safe learning environment.

Last Updated: August 5, 2025
Next Scheduled Review: November 5, 2025
Policy Version: 1.0