Skip to content

Security: HHS-AHRQ/MEPS

SECURITY.md

Security Policy

Reporting a Vulnerability

Please do not file public issues for security problems. If you have discovered a security flaw, bug, or vulnerability related to this project, ahrq.gov, or any of its subdomains, please report it through one of the official channels below:

  1. GitHub Private Advisory: Open a private advisory via the "Report a vulnerability" button under the Security tab of this repository.
  2. Email Notification: Send details to AHRQSecureAHRQ@ahrq.hhs.gov.
  3. Official HHS Channel: The Department of Health and Human Services (HHS) handles broad infrastructure vulnerabilities through its official program. You can submit reports via the HHS Responsible Disclosure Portal.
  4. Federal Government-Wide Alternative: For general digital infrastructure vulnerabilities across federal agencies, the Department of Homeland Security (DHS) accepts reports via vulnerability.disclosure.prog@hq.dhs.gov.

We aim to acknowledge all reports within 2 business days.

Preferred Disclosure Process

To ensure the safety of our users and systems, we appreciate your cooperation in adhering to a responsible disclosure workflow, allowing teams adequate time to remediate vulnerabilities prior to public announcement.

There aren't any published security advisories