If you discover a security vulnerability in DentalERP, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email abinavselvam@gmail.com with:

   • A description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

2. You will receive an acknowledgment within 48 hours.

3. We will work with you to understand and resolve the issue before any public disclosure.

• Acknowledgment: Within 48 hours of your report.
• Status Update: Within 5 business days with an assessment.
• Resolution: We aim to release a fix within 14 days for critical vulnerabilities.
• Credit: We will credit you in the release notes (unless you prefer to remain anonymous).

• Never commit .env files — use .env.example as a template
• Generate strong secrets for NEXTAUTH_SECRET, ENCRYPTION_KEY, and CRON_SECRET
• Use HTTPS in production (reverse proxy with nginx or Caddy)
• Restrict database access — don't expose MySQL to the public internet
• Keep dependencies updated — run npm audit regularly
• Change default credentials immediately after seeding the database