Please do not file public issues for security problems. If you have discovered a security flaw, bug, or vulnerability related to this project, ahrq.gov, or any of its subdomains, please report it through one of the official channels below:
- GitHub Private Advisory: Open a private advisory via the "Report a vulnerability" button under the Security tab of this repository.
- Email Notification: Send details to AHRQSecureAHRQ@ahrq.hhs.gov.
- Official HHS Channel: The Department of Health and Human Services (HHS) handles broad infrastructure vulnerabilities through its official program. You can submit reports via the HHS Responsible Disclosure Portal.
- Federal Government-Wide Alternative: For general digital infrastructure vulnerabilities across federal agencies, the Department of Homeland Security (DHS) accepts reports via vulnerability.disclosure.prog@hq.dhs.gov.
We aim to acknowledge all reports within 2 business days.
To ensure the safety of our users and systems, we appreciate your cooperation in adhering to a responsible disclosure workflow, allowing teams adequate time to remediate vulnerabilities prior to public announcement.