Security

Security is a top priority for GOTRS. This page outlines our security approach and how to report vulnerabilities.

GOTRS Security Features

Design Principles

Rootless Containers: All containers run as non-root user (UID 1000)
Alpine Base Images: Minimal attack surface with Alpine Linux
Security Scanning: Automated vulnerability scanning in CI/CD
Secure Defaults: Security-first configuration out of the box

Implementation

Input validation and sanitization
SQL injection prevention
XSS protection with Content Security Policy
Secure authentication and session management
HTTPS-only communication

Infrastructure Security

Container isolation and security contexts
SELinux support for additional protection
Kubernetes security policies
Regular security updates and patching

Vulnerability Reporting

Responsible Disclosure

We appreciate security researchers who report vulnerabilities responsibly.

Please DO NOT:

File public GitHub issues for security vulnerabilities
Test vulnerabilities on publicly accessible instances
Access or modify data that doesn’t belong to you

Please DO:

Report vulnerabilities privately to security@gibbsoft.com
Provide detailed reproduction steps
Allow reasonable time for patches before disclosure

Response Process

Acknowledgment: Within 48 hours of report
Initial Assessment: Within 1 week
Fix Development: Timeline depends on severity
Coordinated Disclosure: After fix is available
Recognition: Credit in release notes (optional)

Security Updates

Critical security fixes are released immediately
Security updates are clearly marked in release notes
Subscribe to GitHub releases for notifications
Professional support customers get priority notifications

Contact

Security Team
Email: security@gibbsoft.com
PGP Key: Available upon request

Response Time

Critical: Within 24 hours
High: Within 48 hours
Medium/Low: Within 1 week