Refer to our organisation-wide security vulnerability policy.

You may also wish to consult our security.txt file.

Tamanu security updates are issued for the latest released version only, unless other arrangements are made with distinct parties.

Report Tamanu security issues with the github disclosure page.

For all other reports, or if you're not sure, email [email protected].

The BES security team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix, and may ask for additional information or guidance.

BES runs a number of test sites. These are out of scope for data breaches and credential compromise.

Report security bugs in third-party modules to the person or team maintaining the module. You can also report a vulnerability to third-party npm modules through the npm contact form by selecting "I'm reporting a security vulnerability".