Skip to content

Security & Responsible Disclosure

OpenMed de-identifies PHI and other personal data, so a redaction bypass or PHI/PII leak is a security defect — report it privately, never as a public issue.

Never include real PHI/PII in a report

OpenMed exists to keep such data private. Reproduce issues with synthetic data and redact any sample text. A report that leaks real data is itself an incident.

The canonical policy lives in SECURITY.md at the repository root; this page is a pointer so it stays a single source of truth.