We release patches for security vulnerabilities for the following versions:

We take the security of PharmaSys seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Do not open a public GitHub issue for security vulnerabilities
• Do not disclose the vulnerability publicly until we've had a chance to address it
• Do not exploit the vulnerability beyond what is necessary to demonstrate it

Please report security vulnerabilities by emailing: [INSERT SECURITY EMAIL]

In your report, please include:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Any possible mitigations you've identified
5. Your contact information for follow-up questions

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
2. Assessment: We will investigate and assess the severity of the issue
3. Updates: We will keep you informed of our progress
4. Resolution: We will work to fix the vulnerability as quickly as possible
5. Disclosure: Once fixed, we will coordinate disclosure with you

• Initial Response: Within 48 hours
• Status Update: Within 5 business days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

When contributing to or using PharmaSys, please follow these security best practices:

1. Never commit sensitive data

   • API keys
   • Passwords
   • Access tokens
   • Private keys
   • Environment files with credentials

2. Use environment variables

   • Store secrets in .env files (never commit these)
   • Use .env.example for templates
   • Keep production credentials separate

3. Validate all inputs

   • Sanitize user input
   • Validate data types
   • Use parameterized queries
   • Prevent SQL injection

4. Follow authentication best practices

   • Use Supabase Auth properly
   • Implement Row Level Security (RLS)
   • Never bypass authentication checks
   • Use secure session management

5. Keep dependencies updated

   • Regularly update npm packages
   • Monitor security advisories
   • Use yarn audit to check for vulnerabilities
   • Address high/critical vulnerabilities promptly

6. Implement proper error handling

   • Don't expose sensitive error details to users
   • Log errors securely
   • Use generic error messages in production

7. Use HTTPS

   • Always use HTTPS in production
   • Don't transmit sensitive data over HTTP
   • Use secure cookies

1. Secure your environment

   • Use strong passwords
   • Enable two-factor authentication
   • Restrict database access
   • Use Supabase RLS policies

2. Regular updates

   • Keep the application updated
   • Apply security patches promptly
   • Monitor release notes

3. Database security

   • Use Row Level Security (RLS)
   • Limit database permissions
   • Regular backups
   • Audit access logs

4. Monitor for suspicious activity

   • Check application logs
   • Monitor authentication attempts
   • Set up alerts for unusual patterns

• We use Supabase Authentication
• Row Level Security (RLS) is enforced on all tables
• Session tokens are stored securely
• Password reset flows follow best practices

• Sensitive data is encrypted at rest (Supabase default)
• API calls use HTTPS
• User passwords are hashed (handled by Supabase Auth)
• Personal data follows privacy regulations

• Regular dependency audits via yarn audit
• Automated dependency updates via Dependabot
• Review security advisories

• Hosted on Supabase (SOC 2 Type II certified)
• Database backups are automated
• DDoS protection via Supabase infrastructure

Required security-related environment variables:

# Supabase Configuration (required)
VITE_SUPABASE_URL=your-supabase-url
VITE_SUPABASE_ANON_KEY=your-anon-key

# Never commit these values!
# Use different values for dev/staging/production

We recommend implementing a Content Security Policy (CSP) in production deployments.

• API endpoints should restrict CORS to trusted origins
• Supabase configuration handles CORS for backend

PharmaSys aims to comply with:

• GDPR: For data privacy (if applicable)
• HIPAA: For healthcare data (if applicable)
• SOC 2: Via Supabase infrastructure

Note: Compliance requirements may vary based on your deployment and use case.

• Supabase Security
• Supabase Security Best Practices

We regularly monitor security advisories for:

• React
• TypeScript
• Vite
• All npm dependencies

Run yarn audit to check for known vulnerabilities.

Security patches will be:

1. Released as quickly as possible
2. Documented in release notes
3. Announced in GitHub Security Advisories
4. Tagged with severity level

Currently, we do not have a formal bug bounty program. However, we greatly appreciate responsible disclosure and will acknowledge contributors in our security advisories.

If you have questions about security that aren't related to a specific vulnerability, please:

1. Check existing Discussions
2. Open a new discussion in the Security category
3. Contact the maintainers

We would like to thank the following individuals for responsibly disclosing security issues:

No vulnerabilities have been reported yet.

Last Updated: 2025-11-08

We review and update this security policy regularly to ensure it remains current and effective.