Do not open a public GitHub issue for security vulnerabilities.
To report a vulnerability, please email security@cms.hhs.gov or EASiFeedback@cms.hhs.gov.
Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We will acknowledge your report within 3 business days and aim to resolve confirmed vulnerabilities within 90 days.
CMS supports responsible security research. We will not pursue legal action against researchers who act in good faith and follow this policy.