We actively support the following versions of HepatoCAI with security updates:

We take the security of HepatoCAI seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please send an email to: security@hepatocai.com

Include the following information:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
• Initial Assessment: We will provide an initial assessment within 5 business days
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Disclosure: We will work with you on coordinated disclosure timing

• We will respond to your report as quickly as possible
• We will keep you informed of our progress toward resolving the issue
• We may ask for additional information or guidance
• We will credit you for the discovery (unless you prefer to remain anonymous)

• JWT Tokens: Secure token-based authentication with configurable expiration
• OAuth Integration: Google and GitHub OAuth for secure social login
• Role-Based Access Control: Granular permissions (user, staff, superuser)
• Password Policies: Strong password requirements and validation
• Session Management: Secure session handling and automatic logout

• Rate Limiting: Configurable rate limits to prevent abuse
• Input Validation: Comprehensive input sanitization and validation
• CORS Configuration: Properly configured Cross-Origin Resource Sharing
• HTTPS Enforcement: SSL/TLS encryption for all communications
• API Versioning: Versioned APIs for backward compatibility

• Database Security: Encrypted connections and parameterized queries
• Data Sanitization: Input/output sanitization to prevent injection attacks
• Sensitive Data Handling: Secure storage of API keys and secrets
• Audit Logging: Comprehensive security event logging
• Data Encryption: Encryption at rest and in transit

• Security Headers: Comprehensive HTTP security headers
• Environment Isolation: Separate development, staging, and production environments
• Dependency Management: Regular security updates and vulnerability scanning
• Error Handling: Secure error messages that don't leak sensitive information

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin

• Always validate and sanitize user inputs
• Use parameterized queries to prevent SQL injection
• Implement proper error handling without information disclosure
• Follow secure coding guidelines for Django and React
• Regular security code reviews

• Use proper HTTP methods (GET, POST, PUT, DELETE)
• Implement proper authentication for all endpoints
• Validate request data with serializers
• Use HTTPS for all communications
• Implement rate limiting for public endpoints

• Use environment variables for database credentials
• Enable database connection encryption
• Implement proper database user permissions
• Regular database security audits
• Backup encryption and secure storage

• Use strong, unique passwords
• Enable two-factor authentication when available
• Log out from shared computers
• Report suspicious activities immediately
• Keep browser and applications updated

• Review privacy settings regularly
• Understand what data is collected and how it's used
• Use secure networks for accessing sensitive information
• Be cautious with sharing personal health information

We believe in responsible disclosure of security vulnerabilities. We request that:

1. Give us reasonable time to fix the issue before public disclosure
2. Do not access or modify data that doesn't belong to you
3. Do not perform tests that could harm our systems or users
4. Do not use social engineering against our employees or contractors

This security policy applies to:

• HepatoCAI web application (frontend and backend)
• API endpoints and services
• Authentication and authorization systems
• Data storage and processing systems

The following are generally outside our scope:

• Social engineering attacks
• Physical attacks
• Attacks requiring physical access to user devices
• Denial of service attacks
• Issues in third-party services we use (report to the respective vendors)

If we discover or are notified of a security incident:

1. Immediate Response (0-4 hours)

   • Assess and contain the incident
   • Notify key stakeholders
   • Begin investigation

2. Short-term Response (4-24 hours)

   • Implement fixes or workarounds
   • Monitor for additional threats
   • Prepare communication plan

3. Long-term Response (1-7 days)

   • Conduct thorough investigation
   • Implement permanent fixes
   • Review and update security measures
   • Notify affected users if necessary

• We will communicate security incidents transparently
• Users will be notified of any breaches affecting their data
• Post-incident reports will be published when appropriate

• Security Email: security@hepatocai.com
• General Support: support@hepatocai.com
• Emergency Contact: Available 24/7 for critical security issues

• Dependency Scanning: Regular automated scans for vulnerable dependencies
• Static Code Analysis: Automated code security analysis
• Security Monitoring: Real-time monitoring for suspicious activities
• Penetration Testing: Regular third-party security assessments

• OWASP Top 10
• Django Security Documentation
• React Security Best Practices
• NPM Security Advisories

While HepatoCAI is currently an educational platform, we follow healthcare data protection standards:

• HIPAA Compliance: Ready for HIPAA compliance when handling PHI
• GDPR Compliance: European data protection regulation compliance
• Data Minimization: Collect only necessary data
• Right to Deletion: User data deletion capabilities
• Data Portability: Export user data in standard formats

• ISO 27001: Information security management best practices
• NIST Framework: Cybersecurity framework guidelines
• SOC 2: Service organization control standards (planned)

• Monthly: Dependency updates and vulnerability scans
• Quarterly: Security policy and procedure reviews
• Annually: Comprehensive security audits and penetration testing
• As Needed: Incident response and lessons learned reviews

• Regular security awareness training for all team members
• Secure coding practices workshops
• Incident response drills
• Security tool training

• Security coding guidelines
• Incident response procedures
• Security architecture documentation
• Threat modeling documentation

Last Updated: January 13, 2025

Version: 1.0

For questions about this security policy, please contact: security@hepatocai.com