[Qgis-psc] Fwd: TR: QGIS/Tronox Integration

Thu Feb 26 01:29:48 PST 2026

To followup, here is a response I did last week from the security mail 
(names obfuscated):

---

Hi,

Please note that QGIS is not an online service, but a free and open 
source desktop tool with no centralized server collecting data on your 
usage of QGIS. Please understand that your form does not match with what 
QGIS does. As a community and open source project, we can't answer 
individually to your requests, all the necessary information is 
available online at qgis.org, included some standard forms like VPAT.

As for vulnerabilities, our security policy is also described online and 
you can understand that current disclosures being worked on can't be 
disclosed until patched and released.

Please take time to understand that QGIS is a GIS that can connect to 
many data sources and delegates authentication methods to the data 
providers. QGIS supports most of the protocols and has an internal 
encrypted password wallet, or can delegate to the OS wallet.

Best regards,

Régis Haubourg
Elected member at the Program Steering Comitee of QGIS.org.
-

On 22/02/2026 02:10, egsecurity_chd001 wrote:
> Hi, everyone.
> My name is xxx from CHANGE xxx, Inc.
> We are currently considering using the service 「QGIS」 that you provide.
> From a security perspective, could you please answer all the questions 
> below?
>
> ①What is your company’s Basic Policy on Information Security?
> e.g.) We define and follow the information security guidelines.
> →
> ②What is your company Privacy Policy?
> e.g.) We conformed to P-mark certification in principle.
> →
> ③Have you obtained any third-party certifications such as ISMS or P-mark?
> e.g.) Yes, we have ISMS27001.
> →
> ④In terms of vulnerability, do you have any things that you are 
> currently dealing with ?
> e.g.) Yes, we are working on it since vulnerability has been 
> identified in XX.
> →
> ⑤What is your password policy?
> e.g.) Passwords must adhere to a minimum length of 8 characters with 
> mixture of uppercase and lowercase letters and numbers.
> →
> ⑥Is it possible to set up multi-factor authentication(MFA)?
> e.g.) Yes. Paid plan only.
> →
> ⑦Is it possible for all users to change their own password?
> e.g.) Yes.
> →
> ⑧Could you grant privileges to each user?
> e.g.) Privileges can be set up by groups.
> →
> ⑨Is it possible to connect with idP such as SAML, etc.?
> e.g.) Yes. Only for a paid plan, SSO authentication with MS is available.
> →
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20260226/0069bde7/attachment-0001.htm>