Only the latest released minor version receives security updates. Older versions are not supported — please upgrade before reporting.
| Version | Supported |
|---|---|
| 2.1.x | ✅ |
| < 2.1 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, use one of the following private channels:
- GitHub Security Advisories (preferred) — open a private advisory.
- Email — roehlevalentin@gmail.com or se.schmitt@bso-hef.de.
Please include as much of the following as you can:
- Affected version(s) and deployment type (Docker, local, Windows container).
- A description of the vulnerability and its impact.
- Step-by-step reproduction instructions, ideally with a proof of concept.
- Any mitigation or workaround you have already identified.
- Acknowledgement within 5 working days.
- Initial assessment within 10 working days.
- For high / critical issues we aim for a fix and coordinated disclosure within 30 days.
- Lower-severity issues are scheduled into the next regular release.
Given this is a student-data application, we are particularly interested in:
- Authentication / session handling flaws (NextAuth, password reset, setup flow).
- Authorization gaps between admin and student roles.
- Exposure of personally identifiable student data (logs, errors, API responses).
- Injection (NoSQL/Mongoose), SSRF, or path-traversal issues.
- Insecure handling of secrets or environment configuration.
- Vulnerabilities in upstream dependencies that already have a public advisory (report those upstream; we track them via Dependabot).
- Issues requiring physical access to a deployed machine.
- Social-engineering attacks against maintainers or users.
We will not pursue legal action against researchers who act in good faith: who avoid privacy violations and service disruption, give us reasonable time to remediate before disclosure, and do not exploit a finding beyond what is necessary to demonstrate it.