If you discover a security vulnerability in DicomGhost itself (not in the medical devices it analyzes), please do not open a public GitHub issue.

Instead, report it privately:

Email: shantanu@dicomghost.dev
Subject line: [DicomGhost] Security Vulnerability Report

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix (optional)

You will receive a response within 7 days. If the vulnerability is confirmed, a fix will be released as soon as possible and you will be credited in the changelog (unless you prefer to remain anonymous).

Vulnerabilities in scope:

• Code execution via malicious PCAP files
• Path traversal in file output
• Dependency vulnerabilities (scapy, etc.)
• Logic flaws that could cause false negatives in PHI detection

Out of scope:

• Vulnerabilities in the medical devices or protocols DicomGhost detects
• Issues in third-party tools or libraries (report those upstream)

DicomGhost is a defensive security research tool. Responsible security research conducted in good faith is welcomed and will not result in legal action. We ask that you:

• Give us reasonable time to fix before public disclosure
• Do not access, modify, or exfiltrate any real patient data during research
• Do not test against systems you don't own or have explicit permission to test

DicomGhost is designed for authorized security assessments only. Using it against systems without written authorization may violate laws including HIPAA, the Computer Fraud and Abuse Act (CFAA), and equivalent legislation in your jurisdiction.