This repository is the canonical, version-controlled home for the OpenMRS community's security policies, processes, and guidance. Documents here are maintained through pull requests and reviewed by the OpenMRS Security Group.
Reporting a vulnerability? Do not open an issue here. Email security@openmrs.org or use GitHub private vulnerability reporting on the affected repository. See our vulnerability management policy for what to expect.
OpenMRS security documentation has historically lived across the wiki, Talk, and individual repositories. This repository consolidates policy-level documents in one reviewable, versioned place — following the pattern of projects like Kubernetes and the Eclipse Foundation security handbook. Where wiki pages and this repository conflict, this repository is authoritative for policy; the wiki remains the home for tutorials and implementation guidance.
| Document | Status |
|---|---|
| Security documentation recommendations — review of peer-project practices and the roadmap for this repository | Published |
| Vulnerability reporting policy (SECURITY.md template for all OpenMRS repos) | Planned |
| Supported versions & security backport policy | Planned |
| Vulnerability scope statement (what is / is not a security issue; AI-generated report policy) | Planned |
| Security response runbook (committer-facing) | Planned |
| Security Group charter | Planned |
| Severity rubric | Planned |
| Advisory authoring guide | Planned |
| Pre-notification list governance | Planned |
| Shared-responsibility statement (HIPAA / GDPR / data-protection posture) | Planned |
Improvements are welcome via pull request. Substantive policy changes require review by the Security Group. Discussion happens on OpenMRS Talk — please do not raise undisclosed vulnerabilities in public threads.