Important
ThemisDB is actively maintained. Security updates are provided for supported versions only.
| Version | Status | Security Updates | End of Life |
|---|---|---|---|
| 1.x | ✅ Active | ✅ Yes | TBD |
| 0.9.x | ✅ Maintenance | ✅ Yes | 2026-12-31 |
| < 0.9 | ❌ Unsupported | ❌ No | 2024-01-01 |
We take security vulnerabilities seriously. If you discover a security issue, please follow our responsible disclosure process.
Caution
Never do these things:
- ❌ Open a public GitHub issue for security vulnerabilities
- ❌ Discuss the vulnerability publicly before it's addressed
- ❌ Exploit the vulnerability beyond demonstration purposes
1️⃣ Report via GitHub Security Advisories (Recommended)
- Go to Security Advisories
- Create a new private security advisory
- Include:
- 📝 Description of the vulnerability
- 🔄 Steps to reproduce the issue
- 💥 Potential impact assessment
- 🛠️ Suggested fixes (optional)
2️⃣ Use Responsible Disclosure
- ⏳ Give us reasonable time to address the issue
- 🤐 No public disclosure before fix is released
- 🤝 Coordinate disclosure timeline with security team
3️⃣ Provide Sufficient Detail
Help us reproduce and verify the issue:
- 🖥️ Environment details (OS, version, configuration)
- 📊 Proof-of-concept (PoC) code or steps
- 📸 Screenshots or logs (if applicable)
| Timeframe | Action | Status |
|---|---|---|
| Within 24 hours | Acknowledgment of your report | 📨 |
| Within 72 hours | Initial assessment & severity classification | 🔍 |
| 7-14 days | Detailed response with remediation plan | 📋 |
| 30-90 days | Fix released (depending on severity/complexity) | 🚀 |
Note
Critical vulnerabilities are prioritized and may receive expedited fixes within 7 days.
ThemisDB implements defense-in-depth security across all layers:
🔑 Authentication & Authorization
- ✅ RBAC (Role-Based Access Control) with 4-tier hierarchy
- ✅ mTLS (Mutual TLS) for client authentication
- ✅ Token-based API authentication
- ✅ HashiCorp Vault integration for secrets management
Security Level: ⭐⭐⭐⭐⭐
🌐 Network Protocol Security (v1.3.0+)
| Protocol | Security Features | TLS Version |
|---|---|---|
| HTTP/2 | Server Push, TLS 1.3 required | 1.3+ |
| WebSocket | WSS (WebSocket Secure) | 1.2+ |
| MQTT | TLS/mTLS support, auth required | 1.2+ |
| PostgreSQL Wire | SSL/TLS encryption, RBAC | 1.2+ |
| MCP Server | Transport security (stdio/SSE/WS) | 1.2+ |
[!IMPORTANT] All protocols require explicit opt-in build switches for production readiness.
🔒 Encryption
Data-at-Rest:
- 🔐 AES-256-GCM encryption
- 🗄️ Field-Level Encryption (schema-based selective encryption)
- 🔑 Key Management: HSM (PKCS#11), Vault, or Mock providers
Data-in-Transit:
- 🌐 TLS 1.3 (with TLS 1.2 fallback)
- 🔗 Perfect Forward Secrecy (PFS)
- 📜 Certificate pinning for HSM/TSA
✅ Input Validation
- 📋 JSON Schema validation
- 💉 AQL injection prevention
- 🚫 Path traversal protection
- 📦 Request body size limits (10MB default)
🚦 Rate Limiting & DoS Protection
- ⏱️ Token bucket algorithm (100 req/min default)
- 🌍 Per-IP rate limiting
- 👤 Per-user rate limiting
- ⚙️ Configurable thresholds
📊 Audit & Compliance
Audit Logging:
- 📝 65+ security event types
- 🔐 Encrypt-then-Sign audit logs
- 🔗 Hash chain for tamper detection
- 🔔 SIEM integration (Syslog RFC 5424, Splunk HEC)
Compliance Ready:
- ✅ GDPR/DSGVO
- ✅ eIDAS
- ✅ SOC 2
- ✅ HIPAA
Important
For production deployments, follow our Security Hardening Guide.
| Step | Action | Priority |
|---|---|---|
| 1️⃣ | Enable TLS with strong cipher suites | 🔴 Critical |
| 2️⃣ | Configure RBAC with least-privilege principle | 🔴 Critical |
| 3️⃣ | Enable audit logging with encryption | 🟡 High |
| 4️⃣ | Use external key management (Vault/HSM) | 🟡 High |
| 5️⃣ | Configure rate limiting appropriately | 🟢 Medium |
| 6️⃣ | Set up monitoring and alerting | 🟢 Medium |
| 7️⃣ | Regular security updates and patching | 🔴 Critical |
Core Security Guides
Advanced Security Topics
- 📝 Audit Logging
⚠️ Threat Model- 🛡️ Hardware Attack Vectors - USB, PCIe, CPU, RAM, I/O threats
- ✅ Full Audit Checklist (BSI C5, ISO 27001, DSGVO)
🆕 Knowledge Graph Protection (2026)
Protection against AI data theft and knowledge graph exfiltration:
- 🛡️ Knowledge Graph Protection Guide (EN)
- 🛡️ Wissensgraphen-Schutz (DE)
- 📊 Impact Summary & Implementation Plan (DE)
- ⚙️ Graph Protection Configuration Example
Topics covered:
- Systematic graph exfiltration detection
- Vector embedding theft prevention
- Training data extraction protection
- Access pattern anomaly detection
- Graph watermarking & fingerprinting (planned)
We follow responsible disclosure practices:
1️⃣ Acknowledgment
Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous).
2️⃣ No Legal Action
We will not take legal action against security researchers who:
- ✅ Act in good faith
- ✅ Follow this security policy
- ✅ Do not access or modify other users' data
- ✅ Do not disrupt our services
3️⃣ CVE Coordination
For significant vulnerabilities, we will coordinate CVE assignment with MITRE.
Automated security scanning is integrated into our CI/CD pipeline.
| Tool | Purpose | Integration |
|---|---|---|
| Gitleaks | Secret detection in source code | ✅ CI/CD |
| clang-tidy | Static analysis for C++ code | ✅ CI/CD |
| cppcheck | Additional C++ security checks | ✅ CI/CD |
| Trivy | Container image vulnerability scanning | ✅ CI/CD |
| OWASP ZAP | Dynamic application security testing | 🚧 Planned |
Windows (PowerShell)
.\security-scan.ps1Linux/WSL
# If the script exists
./security-scan.ps1
# Or use tools directly:
gitleaks detect --source . --verbose
cppcheck --enable=warning,style --inconclusive ./src ./include| Method | Purpose | Link |
|---|---|---|
| 🔒 GitHub Security Advisories | Report vulnerabilities (Recommended) | Report |
| 💬 GitHub Issues | Non-sensitive security discussions | Issues |
| 🔑 PGP Key | Encrypted communications | Available upon request |
Note
Response Time: Within 24 hours for initial acknowledgment.
| Date | Event |
|---|---|
| 2026-01 | 🔒 Major security improvements in v1.3.4 (RocksDB, Docker, Updates) |
| 2025-12 | 🔐 Update Checker security features & Manifest signing design |
| 2025-11 | 📝 Initial security policy publication |
Note
Comprehensive Security Summary (v1.3.0 - v1.3.4):
See Security Work Summary for detailed information about recent security improvements.
RocksDB Wrapper Security Fixes:
- ✅ 7 critical vulnerabilities fixed (use-after-free, null-pointer, memory leaks)
- ✅ 8 medium-severity issues resolved (deadlocks, resource leaks)
- 📊 100% elimination of segfault risks
- 📖 Full Audit Report
Docker Security Improvements:
- ✅ Ubuntu 24.04 LTS base image (extended security support)
- ✅ Automated security updates during build
- ✅ 80%+ reduction in CVEs
- 📖 Docker Security Fixes
Update Checker Security:
- ✅ Token masking and secure handling
- ✅ HTTPS-only communication
- ✅ Thread-safe implementation
- 📖 Update Security Summary
Binary Authenticity (Design):
- ✅ Cryptographic manifest signing architecture
- ✅ SHA-256 hash verification
- ✅ RSA-4096 digital signatures
- 📖 Manifest Security
🔐 Security is a top priority at ThemisDB
🚨 Report a Vulnerability · 📖 Security Docs · 🛡️ Hardening Guide