The HMS TZ team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: info@aakvatech.com
Include the following information in your report:
- Type of issue (e.g., SQL injection, XSS, authentication bypass, etc.)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue and potential attack scenarios
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on complexity)
| Version | Supported |
|---|---|
| 15.x.x | Yes |
When developing with HMS TZ:
- Always use Frappe's ORM - Avoid raw SQL queries
- Validate user input - Use Frappe's built-in validation
- Check permissions - Use
frappe.has_permission() - Sanitize output - Use
frappe.utils.escape_html()when needed - Avoid
eval()andexec()- Use safer alternatives