If you discover a security vulnerability in SirixDB, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please report vulnerabilities through one of these channels:

1. GitHub Security Advisories: Use GitHub's private vulnerability reporting to submit a report directly.
2. Discord: Contact a maintainer privately on Discord.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 72 hours
• Initial assessment: Within 1 week
• Fix or mitigation: Depends on severity, but we aim for prompt resolution

SirixDB's append-only architecture provides inherent data integrity guarantees:

• Immutable revisions: Once committed, revision data is never overwritten
• Merkle hash trees: Optional per-node hashing for tamper detection
• Keycloak integration: The REST API supports OAuth2/OpenID Connect authentication via Keycloak

When deploying SirixDB in production:

• Use TLS for all REST API connections
• Configure Keycloak with strong authentication policies
• Restrict filesystem access to the database directory
• Review JVM flags required for operation (see README)