At Sheger Health Connect, we take the security and privacy of patient medical data, physician communications, and administrative operations incredibly seriously. This document outlines our security support policies, vulnerability reporting procedures, and architectural safeguards.
We actively maintain and provide security patches for the latest major production releases.
| Version | Supported | Description |
|---|---|---|
| v1.0.x (Current) | β Yes | Production release with full RBAC, JWT auth, and private chat isolation. |
| < v1.0.0 | β No | Alpha/Beta pre-release builds. Please upgrade to the latest stable release. |
We deeply value the efforts of security researchers, developers, and clinical staff in keeping our platform secure. If you discover a potential security vulnerability in Sheger Health Connect, please do not disclose it publicly in GitHub issues.
- Private Contact: Email your findings directly to the lead maintainer at gemachistesfaye@gmail.com or submit a private vulnerability report via the GitHub Security tab.
- Details to Include:
- Summary of the vulnerability (e.g., XSS, SQLi, Broken Access Control, IDOR).
- Proof of Concept (PoC) or step-by-step instructions to reproduce the issue.
- Perceived impact on patient data privacy or system integrity.
- Response Timeline:
- Triage & Acknowledgment: Within 24β48 hours of submission.
- Remediation & Patching: Within 3β5 business days depending on severity.
- Coordinated Disclosure: Once a fix is deployed to production, we will publish a security advisory crediting the discovering researcher.
For an exhaustive breakdown of our backend middleware, database models, and network boundaries, please review our comprehensive Security Architecture Documentation.
Strict isolation between Admin, Doctor, and Patient roles is enforced at the Express middleware level (authorize). Lateral or vertical privilege escalation is systematically blocked across all REST API endpoints.
Direct messaging between doctors and patients uses strict sender/receiver ID validation at both the Express controller and Socket.io WebSocket levels, ensuring that medical consultations remain completely confidential with zero cross-tenant leakage.
- Passwords: Hashed securely using
bcryptwith automated salt generation. Plaintext passwords are never stored in the database or logged in system outputs. - Tokens: Stateless JSON Web Tokens (JWT) with strict 24-hour expiration windows.
- SQL Injection: Every database query executes through Sequelize ORM using parameterized statements, preventing raw SQL injection.
- Transit: 100% encrypted over HTTPS/TLS via Vercel and Render SSL termination.
π Protecting Healthcare Connectivity with Enterprise-Grade Security