| Version | Supported |
|---|---|
| 5.x.x | ✅ |
| 4.x.x | ✅ |
| < 4.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT report security vulnerabilities through public GitHub issues.
Instead, please email us at: typo3@netresearch.de
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Resolution Timeline: Critical issues will be addressed as quickly as possible
- Credit: We will credit reporters in our release notes (unless you prefer to remain anonymous)
This project implements several security measures:
- LDAP-based authentication with LDAP injection prevention
- Role-based access control (DEV, PL, CTL, ADMIN)
- CSRF protection on all state-changing operations
- AES-256-GCM encryption for sensitive tokens
- Strict Content Security Policy
- Regular dependency security audits via GitHub Dependabot and Snyk
- OpenSSF Scorecard and Best Practices compliance
For detailed security documentation, see docs/security.md.
Security updates are released as patch versions. We recommend:
- Subscribe to GitHub releases for notifications
- Keep your installation up to date
- Review the CHANGELOG for security-related changes
This security policy covers the TimeTracker application code. Third-party dependencies are managed through Composer and npm, with automated security scanning enabled.