security: add SECURITY.md with vulnerability reporting policy

[charantejguniganti]

Noticed there was no SECURITY.md while going through the repo, so I've added one.

AMRIT handles patient health records across a lot of services, so having a clear path for responsible disclosure feels important. GitHub also surfaces this file as a "Report a vulnerability" button on the Security tab, which is useful for the community.

The policy covers the preferred reporting channel (GitHub private advisory), what to include in a report, response timelines, in-scope components, and some basic deployment security notes.

Happy to update the contact email or any specifics if there's a preferred team address.

[coderabbitai]

Warning

Rate limit exceeded

@charantejguniganti has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 30 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 855b92cc-6bc8-4632-a9d1-9e73edeae1f5

📥 Commits

Reviewing files that changed from the base of the PR and between 5358011 and ab4ed48.

📒 Files selected for processing (1)

• SECURITY.md

📝 Walkthrough

Walkthrough

This PR introduces AMRIT's security policy document. It defines supported versions, establishes vulnerability reporting channels and processes, specifies response timelines, distinguishes in-scope from out-of-scope vulnerabilities, provides deployment security guidance, and acknowledges maintainers.

Changes

Security Policy

Layer / File(s)	Summary
Security policy document SECURITY.md	Establishes supported versions, vulnerability reporting process via private advisory or email, required report details, response workflow with target timelines, reporting scope, deployer best practices for updates, secrets, HTTPS, CORS, and database controls, and maintainer attribution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A warren's walls now stand so tall,
With shields and gates to protect all,
Whispered secrets find their way,
Through proper channels, come what may!
AMRIT's promise: safe and sound, 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a SECURITY.md file with vulnerability reporting policy. It is concise, directly related to the changeset, and accurately reflects the primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

SECURITY.md (1)

58-58: ⚡ Quick win

Tighten remediation SLA for critical vulnerabilities.

A flat “within 90 days” target for critical issues is too permissive. Use severity-based SLAs (critical/high/medium/low) with a materially shorter target for criticals.

Proposed policy wording

-| **Patch / Remediation** | Within **90 days** for critical issues |
+| **Patch / Remediation** | Severity-based targets (e.g., Critical: 7–30 days, High: 30 days, Medium: 60 days, Low: 90 days) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` at line 58, Replace the flat “| **Patch / Remediation** | Within
**90 days** for critical issues |” policy entry with a severity-based SLA table
row that defines shorter targeted windows (e.g., Critical: 7 days, High: 30
days, Medium: 60 days, Low: 90 days); update the "Patch / Remediation" cell
content to list these timeframes and add a brief note about exceptions/expedited
handling and tracking metrics so reviewers can verify the change under the
"Patch / Remediation" heading.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Line 77: Replace the blanket exclusion sentence "Vulnerabilities in
third-party dependencies (please report these to the respective upstream
projects)" in SECURITY.md with wording that keeps upstream disclosure guidance
but explicitly allows reporting to the AMRIT team when a third‑party
vulnerability is reachable via AMRIT deployments; update the sentence to say
something like: upstream vendors should be notified and tracked, but security
reports are welcome to AMRIT when the vulnerability affects AMRIT deployments or
supply chain, and include guidance on what info to provide when reporting to
AMRIT (impact, reproduction steps, affected versions).

---

Nitpick comments:
In `@SECURITY.md`:
- Line 58: Replace the flat “| **Patch / Remediation** | Within **90 days** for
critical issues |” policy entry with a severity-based SLA table row that defines
shorter targeted windows (e.g., Critical: 7 days, High: 30 days, Medium: 60
days, Low: 90 days); update the "Patch / Remediation" cell content to list these
timeframes and add a brief note about exceptions/expedited handling and tracking
metrics so reviewers can verify the change under the "Patch / Remediation"
heading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a0785c0-8d89-44fc-9edd-66a78b5ab6d1

📥 Commits

Reviewing files that changed from the base of the PR and between 4f3a2f6 and 5358011.

📒 Files selected for processing (1)

• SECURITY.md