RadBridge is designed for healthcare environments where security and HIPAA compliance are critical. This document outlines our security practices and how to report vulnerabilities.

• Rootless Containers: All services run in rootless Podman with user namespace isolation
• Capability Dropping: Minimal Linux capabilities (drop ALL, add only essential)
• No New Privileges: NoNewPrivileges=true prevents privilege escalation
• Resource Limits: CPU, memory, and task quotas prevent resource exhaustion
• Read-only Mounts: Configuration files mounted read-only where possible

• Podman Secrets: All credentials stored as Podman secrets, never in plaintext
• Environment Variable Injection: Secrets injected at runtime, not stored in configs
• No Credential Commits: .gitignore prevents accidental credential commits
• Separate Database Users: Each service has isolated database credentials

• Internal Network: Services communicate via isolated bridge network
• Reverse Proxy: Web UIs not directly exposed, accessed through nginx
• Port Restrictions: Only essential ports published to host
• TLS Ready: Nginx configured for easy TLS/SSL certificate termination

• Structured Logging: All services log to systemd journal with unique identifiers
• Centralized Logs: journalctl provides unified log access
• Service Monitoring: systemd tracks service health and restarts

When deploying RadBridge in HIPAA-covered environments, consider:

• Enable TLS/SSL for all web interfaces
• Configure firewall rules (firewalld/iptables)
• Implement log retention policies
• Enable at-rest encryption for volumes
• Configure automated security updates
• Deploy intrusion detection (AIDE, Wazuh)
• Implement backup encryption

• Change all default passwords immediately
• Implement strong password policies
• Enable multi-factor authentication where supported
• Configure role-based access control
• Maintain audit logs of access attempts
• Review and rotate credentials regularly

• Ensure PHI is encrypted in transit (TLS/SSL)
• Encrypt volumes containing patient data
• Implement data retention and disposal policies
• Configure automatic session timeouts
• Disable unnecessary services and ports

Do NOT open public issues for security vulnerabilities.

1. GitHub Security Advisories: Use the "Security" tab to privately report vulnerabilities
2. Email: Contact the maintainer directly at [your-email] (encrypt with GPG if possible)

• Description: Clear description of the vulnerability
• Impact: Potential security impact and affected components
• Reproduction: Step-by-step instructions to reproduce
• Environment: OS, Podman version, affected services
• Suggested Fix: If you have recommendations

• Acknowledgment: Within 48 hours of report
• Initial Assessment: Within 5 business days
• Fix Timeline: Depends on severity
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 60 days
• Disclosure: Coordinated disclosure after fix is available

# Always verify repository source
git clone https://github.com/csphu/radbridge.git
cd radbridge

# Generate strong random passwords
openssl rand -base64 24

# Use the provided setup script for secure initialization
./setup.sh

# Pull latest changes
git pull origin master

# Update container images
podman pull docker.io/orthancteam/orthanc:26.1.0
podman pull docker.io/postgres:17-alpine

# Restart services
systemctl --user restart orthanc.service postgres.service

# Check for failed authentication attempts
journalctl --user | grep -i "failed\|denied\|unauthorized"

# Monitor resource usage
podman stats --no-stream

# Review security logs
journalctl --user -t orthanc-quadlet --since today

• Run security scan: podman scan <image>
• Review capabilities: podman inspect <container> --format '{{.EffectiveCaps}}'
• Verify user namespaces: podman unshare cat /proc/self/uid_map
• Test secret injection: Ensure no plaintext passwords in logs
• Validate TLS certificates (when implemented)
• Configure SELinux/AppArmor if available
• Set up automated vulnerability scanning
• Document incident response procedures

We recommend:

• Subscribe to GitHub repository notifications
• Monitor container image security advisories
• Regularly update base images and dependencies
• Test updates in non-production environment first

• HIPAA Security Rule
• NIST Cybersecurity Framework
• CIS Container Security Benchmarks

For security questions that are not vulnerabilities, please:

• Open a GitHub Discussion
• Review existing documentation
• Contact the maintainer

Last Updated: February 12, 2026