[Qgis-psc] Fwd: TR: QGIS/Tronox Integration

Thu Feb 26 02:41:49 PST 2026

Ah Thanks, that is why I could not find it :-)
That's another mailbox for me...

I'll try to do a rewrite of his paragraph, to make it more general, and point to commercial service suppliers, this afternoon, so others can reflect on that.

Regards,

Richard Duivenvoorde

PS sorry for not obfuscating the name of original mail...

On 2/26/26 10:29, Régis Haubourg via QGIS-PSC wrote:
> To followup, here is a response I did last week from the security mail (names obfuscated):
> 
> ---
> 
> Hi,
> 
> Please note that QGIS is not an online service, but a free and open source desktop tool with no centralized server collecting data on your usage of QGIS. Please understand that your form does not match with what QGIS does. As a community and open source project, we can't answer individually to your requests, all the necessary information is available online at qgis.org, included some standard forms like VPAT.
> 
> As for vulnerabilities, our security policy is also described online and you can understand that current disclosures being worked on can't be disclosed until patched and released.
> 
> Please take time to understand that QGIS is a GIS that can connect to many data sources and delegates authentication methods to the data providers. QGIS supports most of the protocols and has an internal encrypted password wallet, or can delegate to the OS wallet.
> 
> 
> Best regards,
> 
> Régis Haubourg
> Elected member at the Program Steering Comitee of QGIS.org.
> -
> 
> On 22/02/2026 02:10, egsecurity_chd001 wrote:
>> Hi, everyone.
>> My name is xxx from CHANGE xxx, Inc.
>> We are currently considering using the service 「QGIS」 that you provide.
>> From a security perspective, could you please answer all the questions below?
>>
>> ①What is your company’s Basic Policy on Information Security?
>> e.g.) We define and follow the information security guidelines.
>> →
>> ②What is your company Privacy Policy?
>> e.g.) We conformed to P-mark certification in principle.
>> →
>> ③Have you obtained any third-party certifications such as ISMS or P-mark?
>> e.g.) Yes, we have ISMS27001.
>> →
>> ④In terms of vulnerability, do you have any things that you are currently dealing with ?
>> e.g.) Yes, we are working on it since vulnerability has been identified in XX.
>> →
>> ⑤What is your password policy?
>> e.g.) Passwords must adhere to a minimum length of 8 characters with mixture of uppercase and lowercase letters and numbers.
>> →
>> ⑥Is it possible to set up multi-factor authentication(MFA)?
>> e.g.) Yes. Paid plan only.
>> →
>> ⑦Is it possible for all users to change their own password?
>> e.g.) Yes.
>> →
>> ⑧Could you grant privileges to each user?
>> e.g.) Privileges can be set up by groups.
>> →
>> ⑨Is it possible to connect with idP such as SAML, etc.?
>> e.g.) Yes. Only for a paid plan, SSO authentication with MS is available.
>> →
> 
> 
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc