Important
ThemisDB is actively maintained. Security updates are provided for supported versions only.
| Version | Status | Security Updates | End of Life |
|---|---|---|---|
| 1.x | β Active | β Yes | TBD |
| 0.9.x | β Maintenance | β Yes | 2026-12-31 |
| < 0.9 | β Unsupported | β No | 2024-01-01 |
We take security vulnerabilities seriously. If you discover a security issue, please follow our responsible disclosure process.
Caution
Never do these things:
- β Open a public GitHub issue for security vulnerabilities
- β Discuss the vulnerability publicly before it's addressed
- β Exploit the vulnerability beyond demonstration purposes
1οΈβ£ Report via GitHub Security Advisories (Recommended)
- Go to Security Advisories
- Create a new private security advisory
- Include:
- π Description of the vulnerability
- π Steps to reproduce the issue
- π₯ Potential impact assessment
- π οΈ Suggested fixes (optional)
2οΈβ£ Use Responsible Disclosure
- β³ Give us reasonable time to address the issue
- π€ No public disclosure before fix is released
- π€ Coordinate disclosure timeline with security team
3οΈβ£ Provide Sufficient Detail
Help us reproduce and verify the issue:
- π₯οΈ Environment details (OS, version, configuration)
- π Proof-of-concept (PoC) code or steps
- πΈ Screenshots or logs (if applicable)
| Timeframe | Action | Status |
|---|---|---|
| Within 24 hours | Acknowledgment of your report | π¨ |
| Within 72 hours | Initial assessment & severity classification | π |
| 7-14 days | Detailed response with remediation plan | π |
| 30-90 days | Fix released (depending on severity/complexity) | π |
Note
Critical vulnerabilities are prioritized and may receive expedited fixes within 7 days.
ThemisDB implements defense-in-depth security across all layers:
π Authentication & Authorization
- β RBAC (Role-Based Access Control) with 4-tier hierarchy
- β mTLS (Mutual TLS) for client authentication
- β Token-based API authentication
- β HashiCorp Vault integration for secrets management
Security Level: βββββ
π Network Protocol Security (v1.3.0+)
| Protocol | Security Features | TLS Version |
|---|---|---|
| HTTP/2 | Server Push, TLS 1.3 required | 1.3+ |
| WebSocket | WSS (WebSocket Secure) | 1.2+ |
| MQTT | TLS/mTLS support, auth required | 1.2+ |
| PostgreSQL Wire | SSL/TLS encryption, RBAC | 1.2+ |
| MCP Server | Transport security (stdio/SSE/WS) | 1.2+ |
[!IMPORTANT] All protocols require explicit opt-in build switches for production readiness.
π Encryption
Data-at-Rest:
- π AES-256-GCM encryption
- ποΈ Field-Level Encryption (schema-based selective encryption)
- π Key Management: HSM (PKCS#11), Vault, or Mock providers
Data-in-Transit:
- π TLS 1.3 (with TLS 1.2 fallback)
- π Perfect Forward Secrecy (PFS)
- π Certificate pinning for HSM/TSA
β Input Validation
- π JSON Schema validation
- π AQL injection prevention
- π« Path traversal protection
- π¦ Request body size limits (10MB default)
π¦ Rate Limiting & DoS Protection
- β±οΈ Token bucket algorithm (100 req/min default)
- π Per-IP rate limiting
- π€ Per-user rate limiting
- βοΈ Configurable thresholds
π Audit & Compliance
Audit Logging:
- π 65+ security event types
- π Encrypt-then-Sign audit logs
- π Hash chain for tamper detection
- π SIEM integration (Syslog RFC 5424, Splunk HEC)
Compliance Ready:
- β GDPR/DSGVO
- β eIDAS
- β SOC 2
- β HIPAA
Important
For production deployments, follow our Security Hardening Guide.
| Step | Action | Priority |
|---|---|---|
| 1οΈβ£ | Enable TLS with strong cipher suites | π΄ Critical |
| 2οΈβ£ | Configure RBAC with least-privilege principle | π΄ Critical |
| 3οΈβ£ | Enable audit logging with encryption | π‘ High |
| 4οΈβ£ | Use external key management (Vault/HSM) | π‘ High |
| 5οΈβ£ | Configure rate limiting appropriately | π’ Medium |
| 6οΈβ£ | Set up monitoring and alerting | π’ Medium |
| 7οΈβ£ | Regular security updates and patching | π΄ Critical |
Core Security Guides
- π Security Overview
- π TLS Setup Guide
- π₯ RBAC Configuration
- π Encryption Strategy
- π Key Management
- π¦ HSM Integration
Advanced Security Topics
We follow responsible disclosure practices:
1οΈβ£ Acknowledgment
Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous).
2οΈβ£ No Legal Action
We will not take legal action against security researchers who:
- β Act in good faith
- β Follow this security policy
- β Do not access or modify other users' data
- β Do not disrupt our services
3οΈβ£ CVE Coordination
For significant vulnerabilities, we will coordinate CVE assignment with MITRE.
Automated security scanning is integrated into our CI/CD pipeline.
| Tool | Purpose | Integration |
|---|---|---|
| Gitleaks | Secret detection in source code | β CI/CD |
| clang-tidy | Static analysis for C++ code | β CI/CD |
| cppcheck | Additional C++ security checks | β CI/CD |
| Trivy | Container image vulnerability scanning | β CI/CD |
| OWASP ZAP | Dynamic application security testing | π§ Planned |
Windows (PowerShell)
.\security-scan.ps1Linux/WSL
# If the script exists
./security-scan.ps1
# Or use tools directly:
gitleaks detect --source . --verbose
cppcheck --enable=warning,style --inconclusive ./src ./include| Method | Purpose | Link |
|---|---|---|
| π GitHub Security Advisories | Report vulnerabilities (Recommended) | Report |
| π¬ GitHub Issues | Non-sensitive security discussions | Issues |
| π PGP Key | Encrypted communications | Available upon request |
Note
Response Time: Within 24 hours for initial acknowledgment.
| Date | Event |
|---|---|
| 2025-11 | π Initial security policy publication |
π Security is a top priority at ThemisDB
π¨ Report a Vulnerability Β· π Security Docs Β· π‘οΈ Hardening Guide