Skip to content

Security: evanqua/scenesim

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please report security vulnerabilities using GitHub's private reporting flow rather than a public issue: go to the Security tab of this repository and choose "Report a vulnerability". This lets us investigate and patch the issue before details are public.

If you're unable to use that flow for any reason, a regular GitHub Issue is the fallback — please avoid including exploit details in that case until a fix is available.

Scope

SceneSim is an educational simulation tool. Relevant reports include (but aren't limited to):

  • Ways to bypass the content boundary between the deterministic engine and the LLM (e.g. getting the LLM to reveal patient_truth or unrevealed findings it shouldn't have access to)
  • Injection or auth issues in the FastAPI backend (apps/api/)
  • Secrets or credentials accidentally exposed in the repository or client bundle

Out of scope

  • SceneSim is not a clinical tool and holds no real patient data by design — reports premised on it handling real PHI are out of scope.
  • The public demo at emt-sim.vercel.app is provided for evaluation only, without any uptime or data-retention guarantees.

Supported versions

This project does not yet maintain multiple release branches; security fixes are applied to the master branch.

There aren't any published security advisories