We take security seriously. This is healthcare. Vulnerabilities can affect protected health information.
Email security@upstream.cx with:
- A clear description of the vulnerability
- Steps to reproduce
- The affected repository and version
- Your assessment of severity
- (Optional) A suggested fix
Do not file public GitHub issues, discussions, or PRs for security disclosures.
We acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. Critical issues are resolved within 30 days. We coordinate disclosure with the reporter.
In scope for our security program:
- All public repositories under https://github.com/Upstream-Intelligence
- The Upstream MCP server (@upstream-health/mcp-server on npm)
- The Upstream public API (api.upstream.cx)
- The Upstream marketing site (upstream.cx)
Out of scope:
- Self hosted forks of our repositories
- Third party integrations not maintained by Upstream Intelligence
- Issues in upstream dependencies (please report to the dependency maintainers)
- Social engineering attempts against our staff or customers
We follow a 90 day coordinated disclosure policy. Reporters who follow this policy are credited in the security advisory and may receive a public thank you (with permission).
We do not currently run a paid bug bounty program. Security researchers who report valid issues receive credit in the advisory and a thank you.
Upstream Intelligence operates under a HIPAA Business Associate Agreement framework for paid customers. Vulnerabilities affecting PHI handling are treated with highest priority.
PGP key for encrypted reports available on request from security@upstream.cx.