Currently, only the latest version of the College Management System is supported with security updates.

• Never commit .env or CREDENTIALS.txt files to version control
• Always use .env.example as a template and create your own .env file
• CRITICAL: Change ALL default passwords immediately after installation
  • Default test accounts use password: 123 (extremely weak)
  • These are for DEVELOPMENT/TESTING only
  • Production systems must use strong, unique passwords
• Use strong, unique passwords for all user accounts (minimum 12 characters, mix of upper/lower case, numbers, and special characters)
• Consider implementing forced password change on first login

• Run the database with a dedicated user account (not root)
• Use strong passwords for database users
• Limit database access to localhost only in production
• Regularly backup your database

• All passwords are hashed using SHA-256
• New installations can use salted hashing by enabling it in PasswordUtils
• Change passwords regularly
• Enforce password complexity requirements

• Run the application behind a firewall
• Use HTTPS/SSL when deploying in production
• Limit API access to trusted networks only

• Keep Java and MySQL updated to the latest versions
• Monitor dependencies for security vulnerabilities
• Apply security patches promptly

If you discover a security vulnerability in this project, please report it by:

1. DO NOT create a public GitHub issue
2. Email the maintainer with details about the vulnerability
3. Include steps to reproduce the issue
4. Allow reasonable time for a fix to be developed

We take security seriously and will respond to valid reports promptly.

• Existing installations use SHA-256 without salt for backward compatibility
• This is considered weak by modern standards
• Recommendation: Plan a migration to use salted hashing for new passwords
• Future versions will enforce stronger password hashing

• The application creates new database connections per request
• Consider implementing connection pooling for production deployments
• Monitor connection usage to prevent resource exhaustion

• All user inputs should be validated before processing
• SQL injection protection is implemented via PreparedStatements
• Additional validation layers should be added at the application level

• Changed all default passwords
• Created .env file with production credentials
• Verified .env is in .gitignore
• Removed CREDENTIALS.txt or secured it appropriately
• Database is running with a non-root user
• Database access is restricted to localhost
• Application is running behind a firewall
• Regular backups are configured
• Logging is enabled and monitored
• SSL/TLS is configured if exposed to network

For security concerns, please contact the repository maintainers.