Security Policy

Supported Versions

Version	Supported
latest	✅

Only the latest version deployed on the main branch is actively supported with security updates. We recommend always running the most recent release.

We take security issues in Thesis Management seriously. If you discover a security vulnerability, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, report them via one of the following channels:

GitHub Security Advisories: Use the private vulnerability reporting feature on GitHub
Email: Send a detailed report to krusche@tum.de

Please include as much of the following information as possible:

Acknowledgment: We will acknowledge receipt of your report within 10 business days
Assessment: We will investigate and provide an initial assessment within 15 business days
Resolution: We aim to release a fix for confirmed vulnerabilities as quickly as possible, depending on severity and complexity
Credit: We are happy to credit reporters in release notes (unless you prefer to remain anonymous)

This application handles academic data and uses the following security mechanisms:

Authentication: Keycloak-based OpenID Connect authentication
Authorization: Role-based access control (RBAC) enforced on both server and client
Database: PostgreSQL with parameterized queries via Spring Data JPA
Dependencies: Regularly updated to address known vulnerabilities

The following are considered in scope for security reports:

The following are out of scope:

Vulnerabilities in third-party services (e.g., Keycloak itself): please report those to the respective projects
Issues requiring physical access to the server
Social engineering attacks
Denial-of-service attacks
Issues in the local development environment that do not affect production