Please report security vulnerabilities using GitHub's private reporting flow rather than a public issue: go to the Security tab of this repository and choose "Report a vulnerability". This lets us investigate and patch the issue before details are public.
If you're unable to use that flow for any reason, a regular GitHub Issue is the fallback — please avoid including exploit details in that case until a fix is available.
SceneSim is an educational simulation tool. Relevant reports include (but aren't limited to):
- Ways to bypass the content boundary between the deterministic engine and the LLM (e.g. getting
the LLM to reveal
patient_truthor unrevealed findings it shouldn't have access to) - Injection or auth issues in the FastAPI backend (
apps/api/) - Secrets or credentials accidentally exposed in the repository or client bundle
- SceneSim is not a clinical tool and holds no real patient data by design — reports premised on it handling real PHI are out of scope.
- The public demo at emt-sim.vercel.app is provided for evaluation only, without any uptime or data-retention guarantees.
This project does not yet maintain multiple release branches; security fixes are applied to the
master branch.