ThemisDB is actively maintained. Security updates are provided for the following versions:

We take security vulnerabilities seriously. If you discover a security vulnerability within ThemisDB, please follow these steps:

• Open a public GitHub issue for security vulnerabilities
• Discuss the vulnerability publicly before it's been addressed
• Exploit the vulnerability beyond what's necessary to demonstrate it

1. Report via GitHub Security Advisories (Recommended):

   • Go to Security Advisories
   • Create a new private security advisory
   • Include:
     • A description of the vulnerability
     • Steps to reproduce the issue
     • Potential impact assessment
     • Any suggested fixes (optional)

2. Use responsible disclosure - Give us reasonable time to address the issue before any public disclosure

3. Provide sufficient detail so we can reproduce and verify the issue

ThemisDB implements the following security measures:

• Role-Based Access Control (RBAC) with 4-tier hierarchy
• mTLS (Mutual TLS) support for client authentication
• Token-based API authentication
• HashiCorp Vault integration for secrets management

• Data-at-Rest: AES-256-GCM encryption
• Data-in-Transit: TLS 1.3 (TLS 1.2 fallback)
• Field-Level Encryption: Schema-based selective encryption
• Key Management: HSM (PKCS#11), Vault, or Mock providers

• JSON Schema validation
• AQL injection prevention
• Path traversal protection
• Request body size limits (10MB default)

• Token bucket algorithm (100 req/min default)
• Per-IP and per-user rate limiting
• Configurable thresholds

• 65+ security event types
• Encrypt-then-Sign audit logs
• Hash chain for tamper detection
• SIEM integration (Syslog RFC 5424, Splunk HEC)
• GDPR/DSGVO, eIDAS, SOC 2, HIPAA compliance ready

For production deployments, please follow our Security Hardening Guide:

1. Enable TLS with strong cipher suites
2. Configure RBAC with least-privilege principle
3. Enable audit logging with encryption
4. Use external key management (Vault/HSM)
5. Configure rate limiting appropriately
6. Set up monitoring and alerting
7. Regular security updates and patching

• Security Overview
• TLS Setup Guide
• RBAC Configuration
• Encryption Strategy
• Key Management
• HSM Integration
• Audit Logging
• Threat Model
• Full Audit Checklist (BSI C5, ISO 27001, DSGVO)

We follow responsible disclosure practices:

1. Acknowledgment: Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous)

2. No Legal Action: We will not take legal action against security researchers who:

   • Act in good faith
   • Follow this security policy
   • Do not access or modify other users' data
   • Do not disrupt our services

3. CVE Coordination: For significant vulnerabilities, we will coordinate CVE assignment with MITRE

We use the following tools for security scanning:

• Gitleaks: Secret detection in source code
• clang-tidy: Static analysis for C++ code
• cppcheck: Additional C++ security checks
• Trivy: Container image vulnerability scanning (CI/CD)
• OWASP ZAP: Dynamic application security testing (planned)

To run security scans locally:

# Windows (PowerShell)
.\security-scan.ps1

# Linux/WSL (if the script exists in your environment)
./security-scan.ps1
# Or use the underlying tools directly:
# gitleaks detect --source . --verbose
# cppcheck --enable=warning,style --inconclusive ./src ./include

For security-related issues, please use one of the following methods:

• GitHub Security Advisories: Report a vulnerability (Recommended)
• GitHub Issues: For non-sensitive security discussions
• PGP Key: Available upon request for encrypted communications
• Response Time: Within 24 hours for initial acknowledgment

• 2025-11: Initial security policy publication