[Qgis-psc] Fwd: TR: QGIS/Tronox Integration
Régis Haubourg
regis at qgis.org
Thu Feb 26 06:31:48 PST 2026
I've been toying with Claude to have the Great AI fill some of those
forms for me, that is interesting as it reflects maybe how we should
structure our public information.
Here are the answer when asking the same questions. They seem pretty
reasonable, I hope users will read them.
But as long as each IT department will invent its own forms and
questions, we will have these random questions.
Hopefully in 2 of 3 years with more standardized ways of handling
security audits, scan, this should not last.
----
"I would like to work with QGIS, and our cybersecurity team need to
ensure the absence of potential security issues of your solution."
I'd be happy to help you work with QGIS! Before we dive in, let me
address your cybersecurity team's concern transparently.
About My Environment
I have access to a *Linux computer (Ubuntu 24)* where I can run code and
bash commands. Here's what your security team should know:
*Network Access*
* My network access is currently *disabled* for bash/computer tools
* I cannot make outbound connections, download packages, or
communicate with external services from this environment
* This means I cannot install QGIS or its dependencies directly
*What I Can Do*
* Write QGIS Python scripts (PyQGIS) for you to run locally
* Help with QGIS configuration files, project files (|.qgs|/|.qgz|),
and automation
* Generate, analyze, or transform geospatial data (GeoJSON,
Shapefiles, etc.)
* Write processing scripts, plugins, or workflows
* Analyze uploaded QGIS files or datasets you share with me
*Security Posture*
* I do not retain data between sessions
* Files you upload are only used within this conversation
* I cannot exfiltrate data (network is disabled in my compute environment)
* All code I generate is visible and auditable before you run it
------------------------------------------------------------------------
What would you like to do with QGIS? For example:
* *Automate* a geospatial workflow with PyQGIS
* *Create or edit* a QGIS project file
* *Process* geospatial data (clip, reproject, merge layers, etc.)
* *Write a plugin* or custom processing algorithm
* *Analyze* data you upload
Let me know your use case and I'll get started!
-----
Here is the security questionnaire filled in accurately for *QGIS*.org
(the open-source Geographic Information System), based on official QGIS
documentation and project pages:
------------------------------------------------------------------------
*From a security perspective — answers for QGIS*
*① Basic Policy on Information Security* → QGIS is an open-source
project governed by the QGIS Foundation. The QGIS community takes
security seriously and is aware that QGIS is deployed in sensitive
environments. QGIS<https://qgis.org/resources/support/security/>
Security disclosures are handled through a formal Coordinated
Vulnerability Disclosure (CVD) process via a private dedicated
repository, with fixes shipped in point releases as quickly as possible.
*② Privacy Policy* → QGIS values user privacy and provides detailed
information on this topic on its website
(qgis.org/resources/support/privacy/).
Qgis<https://www2.qgis.org/en/site/forusers/> As a desktop application,
QGIS processes geospatial data locally on the user's machine. It does
not transmit personal data to external servers during normal use. The
QGIS website itself uses standard web privacy practices.
*③ Third-party certifications (ISMS, P-mark, etc.)* → QGIS, as a
community-driven open-source project, has not obtained ISO/IEC 27001 or
equivalent certifications. However, the Swiss National Cyber Security
Centre (NCSC) and National Test Institute for Cybersecurity (NTC)
conducted a security audit of QGIS as part of a pilot project on
open-source software security testing (November 2024 – June 2025),
demonstrating external independent security scrutiny.
Ntc<https://en.ntc.swiss/news/2025-reports-oss-ncsc>
*④ Current vulnerability handling* → In the 2024–2025 NTC/NCSC audit, a
total of six vulnerabilities were identified in QGIS Server and the QGIS
web client (QWC2): one low-severity issue on the server and five on the
web client, two of which were rated "high." All vulnerabilities were
fixed by the development teams within the 90-day disclosure deadline,
and updated versions are available for download.
Ntc<https://en.ntc.swiss/news/2025-reports-oss-ncsc> QGIS is not a CVE
Numbering Authority (CNA), so it does not emit CVE identifiers itself.
QGIS<https://qgis.org/resources/support/security/>
*⑤ Password policy* → QGIS uses a master password system to protect its
local authentication database (qgis-auth.db). Users must define a master
password when first storing any encrypted credentials. After three
incorrect password attempts, the system offers to erase the database —
there is no way to retrieve or override a forgotten master password.
QGIS
Documentation<https://docs.qgis.org/3.40/en/docs/user_manual/auth_system/auth_overview.html>
Password complexity rules are not enforced natively by QGIS itself; they
depend on the operating system or enterprise deployment configuration.
*⑥ Multi-factor authentication (MFA)* → QGIS desktop does not natively
provide MFA for the application itself. However, QGIS supports a wide
range of authentication methods including PKI certificates, identity
bundles (PEM/DER, PKCS#12), and Basic authentication for connecting to
external services (WMS, WFS, databases, etc.). QGIS
Documentation<https://docs.qgis.org/3.40/en/docs/pyqgis_developer_cookbook/authentication.html>
MFA for user workstation access depends on the operating system and
enterprise identity infrastructure in use.
*⑦ Can users change their own password?* → Yes. The master password can
be reset by the user at any time; the current master password is
required before resetting. During the reset process, there is also an
option to generate a complete backup of the authentication database.
QGIS
Documentation<https://docs.qgis.org/3.40/en/docs/user_manual/auth_system/auth_overview.html>
*⑧ Privilege management per user* → QGIS Desktop is a single-user
desktop application — it does not have a built-in multi-user privilege
management system. Access controls and user privileges are managed at
the OS level or through connected backend systems (e.g.,
PostgreSQL/PostGIS database role permissions, GeoServer access control).
For server deployments, QGIS Server inherits the access permissions of
the web server process.
*⑨ IdP integration (SAML, SSO, etc.)* → QGIS does not natively support
SAML or SSO authentication as a built-in feature for the desktop
application. However, QGIS's authentication framework supports various
methods including PKI-based authentication, OAuth2 (via plugin), and
HTTP authentication QGIS
Documentation<https://docs.qgis.org/3.40/en/docs/pyqgis_developer_cookbook/authentication.html>,
which can integrate with enterprise identity systems. Full SAML/SSO
integration would typically be handled at the OS or network layer (e.g.,
Active Directory, LDAP) rather than within QGIS itself.
------------------------------------------------------------------------
*Note:* QGIS is a free, open-source desktop GIS application
maintained by the QGIS Foundation — it is not a SaaS product with a
commercial vendor security team. Security posture for enterprise
deployments is significantly shaped by how your organization
configures the OS, network, backend databases, and plugin management.
Best regards,
Régis Haubourg
Elected member at the Program Steering Comitee of QGIS.org.
-
On 26/02/2026 11:41, Richard Duivenvoorde via QGIS-PSC wrote:
> Ah Thanks, that is why I could not find it :-)
> That's another mailbox for me...
>
> I'll try to do a rewrite of his paragraph, to make it more general,
> and point to commercial service suppliers, this afternoon, so others
> can reflect on that.
>
> Regards,
>
> Richard Duivenvoorde
>
> PS sorry for not obfuscating the name of original mail...
>
>
> On 2/26/26 10:29, Régis Haubourg via QGIS-PSC wrote:
>> To followup, here is a response I did last week from the security
>> mail (names obfuscated):
>>
>> ---
>>
>> Hi,
>>
>> Please note that QGIS is not an online service, but a free and open
>> source desktop tool with no centralized server collecting data on
>> your usage of QGIS. Please understand that your form does not match
>> with what QGIS does. As a community and open source project, we can't
>> answer individually to your requests, all the necessary information
>> is available online at qgis.org, included some standard forms like VPAT.
>>
>> As for vulnerabilities, our security policy is also described online
>> and you can understand that current disclosures being worked on can't
>> be disclosed until patched and released.
>>
>> Please take time to understand that QGIS is a GIS that can connect to
>> many data sources and delegates authentication methods to the data
>> providers. QGIS supports most of the protocols and has an internal
>> encrypted password wallet, or can delegate to the OS wallet.
>>
>>
>> Best regards,
>>
>> Régis Haubourg
>> Elected member at the Program Steering Comitee of QGIS.org.
>> -
>>
>> On 22/02/2026 02:10, egsecurity_chd001 wrote:
>>> Hi, everyone.
>>> My name is xxx from CHANGE xxx, Inc.
>>> We are currently considering using the service 「QGIS」 that you
>>> provide.
>>> From a security perspective, could you please answer all the
>>> questions below?
>>>
>>> ①What is your company’s Basic Policy on Information Security?
>>> e.g.) We define and follow the information security guidelines.
>>> →
>>> ②What is your company Privacy Policy?
>>> e.g.) We conformed to P-mark certification in principle.
>>> →
>>> ③Have you obtained any third-party certifications such as ISMS or
>>> P-mark?
>>> e.g.) Yes, we have ISMS27001.
>>> →
>>> ④In terms of vulnerability, do you have any things that you are
>>> currently dealing with ?
>>> e.g.) Yes, we are working on it since vulnerability has been
>>> identified in XX.
>>> →
>>> ⑤What is your password policy?
>>> e.g.) Passwords must adhere to a minimum length of 8 characters with
>>> mixture of uppercase and lowercase letters and numbers.
>>> →
>>> ⑥Is it possible to set up multi-factor authentication(MFA)?
>>> e.g.) Yes. Paid plan only.
>>> →
>>> ⑦Is it possible for all users to change their own password?
>>> e.g.) Yes.
>>> →
>>> ⑧Could you grant privileges to each user?
>>> e.g.) Privileges can be set up by groups.
>>> →
>>> ⑨Is it possible to connect with idP such as SAML, etc.?
>>> e.g.) Yes. Only for a paid plan, SSO authentication with MS is
>>> available.
>>> →
>>
>>
>> _______________________________________________
>> QGIS-PSC mailing list
>> QGIS-PSC at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20260226/344f374d/attachment-0001.htm>
More information about the QGIS-PSC
mailing list