[Qgis-psc] Fwd: TR: QGIS/Tronox Integration

Thu Feb 26 07:28:21 PST 2026

Ha Régis,

That is a lot more positive information the I had in mind :-)

My take would be something like (but more polite words):

- QGIS is FOSS software, created by a community
- QGIS takes it's responsibility serious, see [link to security pages]
- but also note that QGIS is a powerful tool, which can be used in a lot of ways: the user or the organization is itself responsible for handling that power
- QGIS volunteers will probably not spent free time on filling in questionnaires, nor take individual responsibility for your use of QGIS
- if you need such service please try to find one from the commercial suppliers list

But maybe I'm getting too harsh now, but I get the feeling that a lot of "IT departments" are more busy getting the risks from their shoulders (bringing it to others), or inventing red tape... There are so many possible 'vectors'

Your/Claude's wording is probably more constructive :-) ?

Chatgpt rephrases my text to:

- QGIS is free and open-source software (FOSS), developed and maintained by a dedicated global community of contributors.
- The QGIS project takes security and responsible software development seriously. Please refer to the official security pages for more information: [link to security pages].
- At the same time, QGIS is a powerful and flexible tool that can be used in many different ways. Users and organizations are responsible for ensuring that it is configured and used appropriately within their own operational and regulatory context.
- As QGIS is developed by volunteers, contributors may not be able to dedicate time to completing individual questionnaires or assuming responsibility for specific organizational use cases.
- If you require dedicated support, compliance documentation, or formal assurances, we kindly recommend contacting one of the providers listed in the official commercial support directory.

What about combining the above with your 'security measures'? Adding it with a line of:
- OR fill in the questionnaire/security thingie with some of the info/answers below [then your text]?

On 2/26/26 15:31, Régis Haubourg via QGIS-PSC wrote:

> *From a security perspective — answers for QGIS*
> 
> *① Basic Policy on Information Security* → QGIS is an open-source project governed by the QGIS Foundation. The QGIS community takes security seriously and is aware that QGIS is deployed in sensitive environments. QGIS<https://qgis.org/resources/support/security/> Security disclosures are handled through a formal Coordinated Vulnerability Disclosure (CVD) process via a private dedicated repository, with fixes shipped in point releases as quickly as possible.
> 
> *② Privacy Policy* → QGIS values user privacy and provides detailed information on this topic on its website (qgis.org/resources/support/privacy/). Qgis<https://www2.qgis.org/en/site/forusers/> As a desktop application, QGIS processes geospatial data locally on the user's machine. It does not transmit personal data to external servers during normal use. The QGIS website itself uses standard web privacy practices.
> 
> *③ Third-party certifications (ISMS, P-mark, etc.)* → QGIS, as a community-driven open-source project, has not obtained ISO/IEC 27001 or equivalent certifications. However, the Swiss National Cyber Security Centre (NCSC) and National Test Institute for Cybersecurity (NTC) conducted a security audit of QGIS as part of a pilot project on open-source software security testing (November 2024 – June 2025), demonstrating external independent security scrutiny. Ntc<https://en.ntc.swiss/news/2025-reports-oss-ncsc>
> 
> *④ Current vulnerability handling* → In the 2024–2025 NTC/NCSC audit, a total of six vulnerabilities were identified in QGIS Server and the QGIS web client (QWC2): one low-severity issue on the server and five on the web client, two of which were rated "high." All vulnerabilities were fixed by the development teams within the 90-day disclosure deadline, and updated versions are available for download. Ntc<https://en.ntc.swiss/news/2025-reports-oss-ncsc> QGIS is not a CVE Numbering Authority (CNA), so it does not emit CVE identifiers itself. QGIS<https://qgis.org/resources/support/security/>
> 
> *⑤ Password policy* → QGIS uses a master password system to protect its local authentication database (qgis-auth.db). Users must define a master password when first storing any encrypted credentials. After three incorrect password attempts, the system offers to erase the database — there is no way to retrieve or override a forgotten master password. QGIS Documentation<https://docs.qgis.org/3.40/en/docs/user_manual/auth_system/auth_overview.html> Password complexity rules are not enforced natively by QGIS itself; they depend on the operating system or enterprise deployment configuration.
> 
> *⑥ Multi-factor authentication (MFA)* → QGIS desktop does not natively provide MFA for the application itself. However, QGIS supports a wide range of authentication methods including PKI certificates, identity bundles (PEM/DER, PKCS#12), and Basic authentication for connecting to external services (WMS, WFS, databases, etc.). QGIS Documentation<https://docs.qgis.org/3.40/en/docs/pyqgis_developer_cookbook/authentication.html> MFA for user workstation access depends on the operating system and enterprise identity infrastructure in use.
> 
> *⑦ Can users change their own password?* → Yes. The master password can be reset by the user at any time; the current master password is required before resetting. During the reset process, there is also an option to generate a complete backup of the authentication database. QGIS Documentation<https://docs.qgis.org/3.40/en/docs/user_manual/auth_system/auth_overview.html>
> 
> *⑧ Privilege management per user* → QGIS Desktop is a single-user desktop application — it does not have a built-in multi-user privilege management system. Access controls and user privileges are managed at the OS level or through connected backend systems (e.g., PostgreSQL/PostGIS database role permissions, GeoServer access control). For server deployments, QGIS Server inherits the access permissions of the web server process.
> 
> *⑨ IdP integration (SAML, SSO, etc.)* → QGIS does not natively support SAML or SSO authentication as a built-in feature for the desktop application. However, QGIS's authentication framework supports various methods including PKI-based authentication, OAuth2 (via plugin), and HTTP authentication QGIS Documentation<https://docs.qgis.org/3.40/en/docs/pyqgis_developer_cookbook/authentication.html>, which can integrate with enterprise identity systems. Full SAML/SSO integration would typically be handled at the OS or network layer (e.g., Active Directory, LDAP) rather than within QGIS itself.
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
>     *Note:* QGIS is a free, open-source desktop GIS application maintained by the QGIS Foundation — it is not a SaaS product with a commercial vendor security team. Security posture for enterprise deployments is significantly shaped by how your organization configures the OS, network, backend databases, and plugin management.