|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +| Version | Supported | |
| 6 | +| ------- | ------------------ | |
| 7 | +| latest | :white_check_mark: | |
| 8 | + |
| 9 | +Only the latest version deployed on the main branch is actively supported with security updates. We recommend always running the most recent release. |
| 10 | + |
| 11 | +## Reporting a Vulnerability |
| 12 | + |
| 13 | +We take security issues in Thesis Management seriously. If you discover a security vulnerability, please report it responsibly. |
| 14 | + |
| 15 | +**Please do NOT report security vulnerabilities through public GitHub issues.** |
| 16 | + |
| 17 | +Instead, report them via one of the following channels: |
| 18 | + |
| 19 | +- **GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/ls1intum/thesis-management/security/advisories/new) feature on GitHub |
| 20 | +- **Email**: Send a detailed report to [krusche@tum.de](mailto:krusche@tum.de) |
| 21 | + |
| 22 | +### What to Include |
| 23 | + |
| 24 | +Please include as much of the following information as possible: |
| 25 | + |
| 26 | +- A description of the vulnerability and its potential impact |
| 27 | +- Steps to reproduce or a proof-of-concept |
| 28 | +- The affected component (server, client, authentication, etc.) |
| 29 | +- Any suggestions for mitigation or fixes |
| 30 | + |
| 31 | +### What to Expect |
| 32 | + |
| 33 | +- **Acknowledgment**: We will acknowledge receipt of your report within **10 business days** |
| 34 | +- **Assessment**: We will investigate and provide an initial assessment within **15 business days** |
| 35 | +- **Resolution**: We aim to release a fix for confirmed vulnerabilities as quickly as possible, depending on severity and complexity |
| 36 | +- **Credit**: We are happy to credit reporters in release notes (unless you prefer to remain anonymous) |
| 37 | + |
| 38 | +## Security Considerations |
| 39 | + |
| 40 | +This application handles academic data and uses the following security mechanisms: |
| 41 | + |
| 42 | +- **Authentication**: Keycloak-based OpenID Connect authentication |
| 43 | +- **Authorization**: Role-based access control (RBAC) enforced on both server and client |
| 44 | +- **Database**: PostgreSQL with parameterized queries via Spring Data JPA |
| 45 | +- **Dependencies**: Regularly updated to address known vulnerabilities |
| 46 | + |
| 47 | +## Scope |
| 48 | + |
| 49 | +The following are considered in scope for security reports: |
| 50 | + |
| 51 | +- Authentication and authorization bypasses |
| 52 | +- Injection vulnerabilities (SQL, XSS, CSRF, etc.) |
| 53 | +- Insecure direct object references |
| 54 | +- Sensitive data exposure |
| 55 | +- Server-side request forgery (SSRF) |
| 56 | +- Misconfiguration in default deployment settings |
| 57 | + |
| 58 | +The following are out of scope: |
| 59 | + |
| 60 | +- Vulnerabilities in third-party services (e.g., Keycloak itself): please report those to the respective projects |
| 61 | +- Issues requiring physical access to the server |
| 62 | +- Social engineering attacks |
| 63 | +- Denial-of-service attacks |
| 64 | +- Issues in the local development environment that do not affect production |
0 commit comments