This repository holds the SQL on FHIR reference implementation, the shared test suite, and the test report site. We take security issues seriously and appreciate reports that help us keep the tooling safe to use.
Please report security vulnerabilities privately rather than opening a public issue. Use GitHub's private vulnerability reporting:
Published advisories appear on the GitHub Security Advisories page.
When reporting, please include as much of the following as you can:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, including any sample input (for example, a FHIR resource or ViewDefinition that triggers the issue).
- The affected component (
sof-js/, the test suite, or the report site) and version. - Any suggested remediation, if you have one.
- We aim to acknowledge a report within five business days.
- We will keep you informed as we investigate and work towards a fix.
- Once a fix is available, we will publish an advisory and credit you, unless you ask to remain anonymous.
Please give us a reasonable opportunity to address the issue before any public disclosure.
This policy covers the code in this repository. The SQL on FHIR specification itself lives in a separate repository, FHIR/sql-on-fhir; please direct specification concerns there.