At Friendly FHIR, we take security issues seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

To report a security vulnerability, please send an email to security AT friendly-fhir.org. We kindly request that you refrain from publicly disclosing the issue until we have had an opportunity to address it.

Your report should include the following information:

• Description of the vulnerability: Provide a clear and concise description of the vulnerability you have discovered.

• Steps to reproduce: Describe the steps that are necessary to reproduce the vulnerability so that we can quickly understand and validate the issue.

• Impact: Describe the potential impact of the vulnerability.

• Versions affected: Indicate which versions of our software are affected by the vulnerability, if known.

Friendly FHIR supports responsible disclosure. If you discover a security issue, we ask that you:

• Refrain from accessing or modifying data without explicit permission.
• Avoid interrupting or degrading the performance of our services.
• Do not publicly disclose the issue until we have addressed it.

Upon receiving your security report, we will:

• Acknowledge the receipt of your report in a timely manner. Ideally this is within 5 business days, however being an unsupported open-source project, please respect that our response time may vary.
• Investigate the issue and determine its impact and scope.
• Develop and implement a fix for the vulnerability, prioritizing the safety and security of our users.
• Notify you when the vulnerability has been resolved and publicly acknowledge your contribution (if you wish to be credited).

We sincerely appreciate your help in keeping Friendly FHIR safe. Your efforts contribute to the ongoing improvement of our security practices and the protection of our users.