GenPRES is a medical decision support system for medication safety in pediatrics. Security vulnerabilities in this software could directly impact patient safety. We take security extremely seriously and appreciate responsible disclosure of any security issues.
The current document is a first draft and will be expanded over time to include more details on our security practices, vulnerability management, and best practices for contributors.
| Version | Supported | Status |
|---|---|---|
| 2.0.x | ✅ | Active Development |
| 1.x.x | ❌ | No longer supported |
DO NOT open a public issue for security vulnerabilities.
-
Report privately via one of these methods:
- GitHub Security Advisories (preferred): Use the "Report a vulnerability" button in the Security tab
- Email: [INSERT SECURITY CONTACT EMAIL]
- Subject line:
[SECURITY] Brief description of issue
-
Include in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact (especially related to patient safety)
- Affected versions
- Suggested fix (if available)
- Whether you plan to publicly disclose (and timeline)
-
Expected response timeline:
- Initial response: Within 48 hours
- Assessment: Within 1 week
- Fix plan: Within 2 weeks
- Security patch release: Based on severity
-
Coordinated disclosure:
- We will work with you to understand and validate the issue
- We will develop and test a fix
- We will coordinate public disclosure timing
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- Remote code execution
- Privilege escalation
- Patient data exposure
- Response time: Immediate (24-48 hours)
- Authentication bypass
- Authorization bypass
- Sensitive data leakage
- Response time: 3-5 days
- Information disclosure
- Denial of service
- Response time: 1-2 weeks
- Minor information disclosure
- Configuration issues
- Response time: As part of regular release cycle
- Never commit sensitive data (credentials, API keys, patient data)
- Use parameterized queries (SQL injection prevention)
- Validate and sanitize all user inputs
- Follow principle of least privilege
- Review CONTRIBUTING.md for secure coding guidelines
- Keep dependencies up to date
- Review dependency security advisories
- Use Dependabot or similar tools
- Audit third-party packages regularly
- Follow MDR (EU Medical Device Regulation 2017/745) security requirements
- Maintain audit logs for all security-relevant events
- Implement access controls appropriate for medical software
- Ensure GDPR compliance for patient data
- Implement secure session management
- Use strong password policies
- Support multi-factor authentication where applicable
- Implement proper role-based access control (RBAC)
- Encrypt sensitive data at rest and in transit
- Implement secure key management
- Follow data minimization principles
- Ensure secure backup and recovery procedures
-
Input Validation
- Comprehensive validation of all medication orders
- Unit of measure validation
- Dosage range validation
- Type-safe F# domain modeling
-
Audit Logging
- All calculation operations logged
- User actions tracked
- Error conditions recorded
- Compliance with medical device audit requirements
-
Data Privacy
- Stateless session design (no persistent patient data)
- Minimal data retention
- GDPR-compliant data handling
- Secure communication channels
-
Code Security
- Type-safe F# implementation
- Immutable data structures
- Comprehensive test coverage
- Regular security scanning
-
Dependency Management
- Regular dependency updates
- Security advisory monitoring
- SBOM (Software Bill of Materials) generation
- License compliance tracking
- Automated security scanning in CI/CD
- Penetration testing
- Security-focused code reviews
- Threat modeling workshops
- Security certification for medical device software
In the event of a confirmed security incident:
- Containment: Immediate actions to limit impact
- Assessment: Full scope and impact analysis
- Remediation: Fix development and testing
- Notification: Inform affected parties and authorities as required
- Documentation: Complete incident report for MDR compliance
- Post-mortem: Lessons learned and process improvements
GenPRES follows security requirements from:
- EU MDR 2017/745 (Medical Device Regulation)
- ISO 14971 (Risk Management)
- IEC 62304 (Medical Device Software Life Cycle)
- GDPR (General Data Protection Regulation)
- ISO 27001 (Information Security Management)
All security vulnerabilities are assessed for regulatory reporting requirements.
We believe in recognizing security researchers who help keep GenPRES secure:
- Public acknowledgment in security advisories (with permission)
- Credit in CHANGELOG.md for security fixes
- Recognition in CONTRIBUTORS.md
We currently do not offer a bug bounty program but greatly appreciate responsible disclosure.
For non-security questions about GenPRES, please use:
- GitHub Issues for bugs and features
- GitHub Discussions for questions and ideas
- See SUPPORT.md for more information
This security policy may be updated periodically. Check the commit history for changes.
Last updated: 2025-10-25