Important
ThemisDB is actively maintained. Security updates are provided for supported versions only.
| Version | Status | Security Updates | End of Life |
|---|---|---|---|
| 1.x | ✅ Active | ✅ Yes | TBD |
| 0.9.x | ✅ Maintenance | ✅ Yes | 2026-12-31 |
| < 0.9 | ❌ Unsupported | ❌ No | 2024-01-01 |
We take security vulnerabilities seriously. If you discover a security issue, please follow our responsible disclosure process.
Caution
Never do these things:
- ❌ Open a public GitHub issue for security vulnerabilities
- ❌ Discuss the vulnerability publicly before it's addressed
- ❌ Exploit the vulnerability beyond demonstration purposes
1️⃣ Report via GitHub Security Advisories (Recommended)
- Go to Security Advisories
- Create a new private security advisory
- Include:
- 📝 Description of the vulnerability
- 🔄 Steps to reproduce the issue
- 💥 Potential impact assessment
- 🛠️ Suggested fixes (optional)
2️⃣ Use Responsible Disclosure
- ⏳ Give us reasonable time to address the issue
- 🤐 No public disclosure before fix is released
- 🤝 Coordinate disclosure timeline with security team
3️⃣ Provide Sufficient Detail
Help us reproduce and verify the issue:
- 🖥️ Environment details (OS, version, configuration)
- 📊 Proof-of-concept (PoC) code or steps
- 📸 Screenshots or logs (if applicable)
| Timeframe | Action | Status |
|---|---|---|
| Within 24 hours | Acknowledgment of your report | 📨 |
| Within 72 hours | Initial assessment & severity classification | 🔍 |
| 7-14 days | Detailed response with remediation plan | 📋 |
| 30-90 days | Fix released (depending on severity/complexity) | 🚀 |
Note
Critical vulnerabilities are prioritized and may receive expedited fixes within 7 days.
ThemisDB implements defense-in-depth security across all layers:
🔑 Authentication & Authorization
- ✅ RBAC (Role-Based Access Control) with 4-tier hierarchy
- ✅ mTLS (Mutual TLS) for client authentication
- ✅ Token-based API authentication
- ✅ HashiCorp Vault integration for secrets management
Security Level: ⭐⭐⭐⭐⭐
🌐 Network Protocol Security (v1.3.0+)
| Protocol | Security Features | TLS Version |
|---|---|---|
| HTTP/2 | Server Push, TLS 1.3 required | 1.3+ |
| WebSocket | WSS (WebSocket Secure) | 1.2+ |
| MQTT | TLS/mTLS support, auth required | 1.2+ |
| PostgreSQL Wire | SSL/TLS encryption, RBAC | 1.2+ |
| MCP Server | Transport security (stdio/SSE/WS) | 1.2+ |
[!IMPORTANT] All protocols require explicit opt-in build switches for production readiness.
🔒 Encryption
Data-at-Rest:
- 🔐 AES-256-GCM encryption
- 🗄️ Field-Level Encryption (schema-based selective encryption)
- 🔑 Key Management: HSM (PKCS#11), Vault, or Mock providers
Data-in-Transit:
- 🌐 TLS 1.3 (with TLS 1.2 fallback)
- 🔗 Perfect Forward Secrecy (PFS)
- 📜 Certificate pinning for HSM/TSA
🛡️ Security Hardening (v1.4.2+):
[!WARNING] NEW: HSM Stub Provider Gating
⚠️ Requires explicit opt-in viaTHEMIS_ALLOW_HSM_STUB=1- ❌ Fails in production mode (
THEMIS_PRODUCTION_MODE=1)- 🔍 Auto-detects production environments (
ENVIRONMENT=production)- 📋 See: HSM Production Setup
[!NOTE] VaultSigningProvider Limitation
- ✅ Signing operations only (Transit Engine)
- ❌ Key management operations throw clear errors
- 📖 Migration path: Use
VaultKeyProviderfor full key management- 📋 See: Vault Signing Provider
[!TIP] PKCS#11 Integration Strategy
- 📁 Development:
pkcs11_minimal.h(built-in, limited)- 🏭 Production: Vendor PKCS#11 headers (required)
- ✅ Compile-time validation for header compatibility
- 📋 See: PKCS#11 Integration
✅ Input Validation
- 📋 JSON Schema validation
- 💉 AQL injection prevention
- 🚫 Path traversal protection
- 📦 Request body size limits (10MB default)
- 🔍 BPMN/EPK/YAML parser hardening (
src/process/) — regex-based BPMN parser rejects malformed XML; EPK and VCC-VPB parsers validate schema before import
🚦 Rate Limiting & DoS Protection
- ⏱️ Token bucket algorithm (100 req/min default)
- 🌍 Per-IP rate limiting
- 👤 Per-user rate limiting
- ⚙️ Configurable thresholds
📊 Audit & Compliance
Audit Logging:
- 📝 65+ security event types
- 🔐 Encrypt-then-Sign audit logs
- 🔗 Hash chain for tamper detection
- 🔔 SIEM integration (Syslog RFC 5424, Splunk HEC)
- 🗂️ Maintenance operations (
src/maintenance/) — all schedule CRUD and job lifecycle events logged viaAuditLogger; RBAC rolesmaintenance:read,maintenance:write,maintenance:admin
Compliance Ready:
- ✅ GDPR/DSGVO
- ✅ eIDAS
- ✅ SOC 2
- ✅ HIPAA
Important
For production deployments, start with the Security Posture Guide — it explicitly lists every insecure default, why it is unsafe, and the exact environment variable to change it. Then follow the Production Runbook for the full reference of required and optional environment variables, startup sequence, and failure-mode mitigations.
| Step | Action | Priority |
|---|---|---|
| 1️⃣ | Set THEMIS_PRODUCTION_MODE=1 and THEMIS_ENVIRONMENT=production |
🔴 Critical |
| 2️⃣ | Set THEMIS_TOKEN_ADMIN to a strong random secret (≥32 bytes) |
🔴 Critical |
| 3️⃣ | Enable TLS with strong cipher suites | 🔴 Critical |
| 4️⃣ | Configure RBAC with least-privilege principle | 🔴 Critical |
| 5️⃣ | Use external key management: Vault or hardware HSM | 🟡 High |
| 6️⃣ | Enable audit logging with encryption and SIEM sink | 🟡 High |
| 7️⃣ | Enable WAL gRPC mTLS (THEMIS_WAL_GRPC_ENABLE_MTLS=1) |
🟡 High |
| 8️⃣ | Configure rate limiting appropriately | 🟢 Medium |
| 9️⃣ | Set up monitoring and alerting | 🟢 Medium |
| 🔟 | Regular security updates and patching | 🔴 Critical |
⭐ Production Security (Start Here)
- 🛡️ Security Posture Guide — dev vs. production defaults, hardening checklist, threat model, integrator checklist
- 📋 Production Runbook — required env vars, startup sequence, failure modes, mitigations
- 🖥️ systemd deployment files — hardened service unit, production drop-in, env template
- ☸️ Kubernetes production Helm values — TLS, secrets, probes, autoscaling
Core Security Guides
Advanced Security Topics
- 📝 Audit Logging
⚠️ Threat Model- 🛡️ Hardware Attack Vectors - USB, PCIe, CPU, RAM, I/O threats
- ✅ Full Audit Checklist (BSI C5, ISO 27001, DSGVO)
🆕 Knowledge Graph Protection (2026)
Protection against AI data theft and knowledge graph exfiltration:
- 🛡️ Knowledge Graph Protection Guide (EN)
- 🛡️ Wissensgraphen-Schutz (DE)
- 📊 Impact Summary & Implementation Plan (DE)
- ⚙️ Graph Protection Configuration Example
Topics covered:
- Systematic graph exfiltration detection
- Vector embedding theft prevention
- Training data extraction protection
- Access pattern anomaly detection
- Graph watermarking & fingerprinting (planned)
We follow responsible disclosure practices:
1️⃣ Acknowledgment
Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous).
2️⃣ No Legal Action
We will not take legal action against security researchers who:
- ✅ Act in good faith
- ✅ Follow this security policy
- ✅ Do not access or modify other users' data
- ✅ Do not disrupt our services
3️⃣ CVE Coordination
For significant vulnerabilities, we will coordinate CVE assignment with MITRE.
Automated security scanning is integrated into our CI/CD pipeline.
| Tool | Purpose | Integration |
|---|---|---|
| Gitleaks | Secret detection in source code | ✅ CI/CD |
| clang-tidy | Static analysis for C++ code | ✅ CI/CD |
| cppcheck | Additional C++ security checks | ✅ CI/CD |
| Trivy | Container image vulnerability scanning | ✅ CI/CD |
| OWASP ZAP | Dynamic application security testing | 🚧 Planned |
| Comprehensive Audit | Systematic security & compliance audit | ✅ Available |
Comprehensive Security Audit (Recommended)
Run a systematic security audit covering SAST, dependency scanning, secret detection, and more:
# Full audit (requires tools: cppcheck, clang-tidy, trivy, gitleaks, semgrep)
./scripts/comprehensive-code-audit.sh
# Quick audit (skip time-consuming checks)
AUDIT_QUICK=1 ./scripts/comprehensive-code-audit.sh
# Audit with specific categories
./scripts/comprehensive-code-audit.sh --skip-dependencies --skip-dynamic
# View all options
./scripts/comprehensive-code-audit.sh --helpAudit Report: Results are saved in audit-results-<timestamp>/comprehensive-audit-report.md
Compliance Coverage: BSI C5, ISO 27001, DSGVO, NIS2, OWASP ASVS, NIST CSF
Individual Security Tools
# Secret detection
gitleaks detect --source . --verbose
# Static analysis
cppcheck --enable=warning,style --inconclusive ./src ./include
clang-tidy src/**/*.cpp -- -std=c++20
# Dependency scanning
trivy fs --scanners vuln,secret,misconfig .
# Semgrep patterns
semgrep --config=auto src/ include/| Method | Purpose | Link |
|---|---|---|
| 🔒 GitHub Security Advisories | Report vulnerabilities (Recommended) | Report |
| 💬 GitHub Issues | Non-sensitive security discussions | Issues |
| 🔑 PGP Key | Encrypted communications | Available upon request |
Note
Response Time: Within 24 hours for initial acknowledgment.
| Date | Event |
|---|---|
| 2026-03 | 📝 Added src/process/ (BPMN parser hardening) and src/maintenance/ (RBAC audit trail) security notes |
| 2026-01 | 🔒 Major security improvements in v1.3.4 (RocksDB, Docker, Updates) |
| 2025-12 | 🔐 Update Checker security features & Manifest signing design |
| 2025-11 | 📝 Initial security policy publication |
Note
Comprehensive Security Summary (v1.3.0 - v1.3.4):
See Security Work Summary for detailed information about recent security improvements.
RocksDB Wrapper Security Fixes:
- ✅ 7 critical vulnerabilities fixed (use-after-free, null-pointer, memory leaks)
- ✅ 8 medium-severity issues resolved (deadlocks, resource leaks)
- 📊 100% elimination of segfault risks
- 📖 Full Audit Report
Docker Security Improvements:
- ✅ Ubuntu 24.04 LTS base image (extended security support)
- ✅ Automated security updates during build
- ✅ 80%+ reduction in CVEs
- 📖 Docker Security Fixes
Update Checker Security:
- ✅ Token masking and secure handling
- ✅ HTTPS-only communication
- ✅ Thread-safe implementation
- 📖 Update Security Summary
Binary Authenticity (Design):
- ✅ Cryptographic manifest signing architecture
- ✅ SHA-256 hash verification
- ✅ RSA-4096 digital signatures
- 📖 Manifest Security
🔐 Security is a top priority at ThemisDB
🚨 Report a Vulnerability · 📖 Security Docs · 🛡️ Security Posture Guide