The project
Who we are
- Oslandia and other involved partners ( like OPENGIS.ch ) are OpenSource “pure players” and main contributors to QGIS.
- This project is an initiative by Oslandia and is endorsed by the QGIS.org association. We work closely with the community of developers, users and stakeholders of QGIS.
- This project involves QGIS core committers willing to advance QGIS security.
Context
-
- New regulations like NIS2 and CRA in Europe, as well as other international or local regulations will be activated within the next couple of years. They require software and software producers to improve their cybersecurity practices. OpenSource softwares, while usually having a special treatment, are concerned too. Estimated costs of CRA impact on an opensource project amounts to +30%.
- As for QGIS, we consider that the projects stays behind what would be sufficient to comply with these regulations. We also do not fulfill requirements coming from our end-users, in terms of overall software quality regarding security, processes in place to ensure trust in the supply chain, and overall security culture in the project.
- We have been discussing this topic with clients having large deployments of QGIS and QGIS server, and they stressed the issue, stating that cybersecurity is one of their primary concerns, and that they are willing to see the QGIS project move forward in this area as soon as possible. QGIS faces the risk of IT departments blocking QGIS installations if they consider the project not having enough consideration for security.
- Requests to security@qgis.org have grown significantly.
Goals
Oslandia, with other partners and backed by clients and end-users, launches the “Security project for QGIS” : we identified key topics where security improvements can be achieved, classified them, and created work packages to work on, with budget estimations.
- The main goal is simple : raise the cybersecurity level for the QGIS project
- Fulfill cybersecurity requirements from regulations and end-users
- Make QGIS an example of security-aware OpenSource project, helping other OSGeo projects to improve
While QGIS and QGIS server are the main components on which this project focus, improving QGIS security as a whole also needs to consider underlying libraries ( e.g. GDAL/OGR, PROJ, GEOS…).
This project is a specific effort to raise the level of security of QGIS. Maintaining security in the long term will need further efforts, and we encourage you to sponsor QGIS.org, becoming a sustaining member of QGIS.
Organization
- Any organization interested in improving QGIS security can contribute to funding the project. ➡️ Pledge now !
- Once funded, Oslandia and partners will start working on Work Package 1 early 2025.
- We intend to work closely with the QGIS community, QGIS.org, interested partners and users. Part of the work are improvements over the current system, other require changes to processes or developer’s habits. Working closely with the user and developer’s community to raise our security awareness is fully part of the project.
- We will deliver improvements in 2025 and 2026, according to the Work Packages defined below.
Security topics
1. Builds reproducibility and Build Systems
- Windows: vcpkg, MSIX packages, Microsoft Store
- Linux: Docker configurations, automation scripts
- Build system: documentation, standardized virtual environments
- Goals: consistency, audit facilitation
2. Binary and Docker Image Signing
- Binary signing: certificates, secure processes, automation
- Docker image signing: cryptographic systems, workflow integration
- Benefits: integrity, authenticity, risk reduction
3. Code Analysis and Dependency Management
- Code analysis: static/dynamic tools, reviews, quality thresholds
- Dependency management: scanning, CI/CD integration, alerts, SBOM
- Goals: early detection, risk reduction, continuous improvement
4. External Security Audit and Global Analysis
- External audit: specialized company, in-depth analysis
- Global analysis: grouped QEP, risks, exposures, best practices
- Specific audit: plugins.qgis.org and sites hosting QGIS binaries
- Benefits: vulnerability identification, expert recommendations
5. GitHub Processes and Contribution Management
- GitHub processes: security team, grouped PRs, secret protection
- Contribution management: DCO or CLA, community training
- Access management: expiration policies, management systems
- Vulnerability management: CVE tool, clear procedures
6. Plugin Security
- Automated scanner, validation rules, approval process
- Plugin security rating system
- Goals: risk reduction, faster validation, user trust
7. Artifact Security Analysis
- Analyses for Docker images: Clair, ClamAV, DockerBench
- Goals: secure deployments, early detection, compliance
8. Security Training, Documentation, and Visibility
- Documentation: processes, guides, response procedures
- Training: workshops, webinars, online modules
- Visibility: “SECURITY” label, GitHub updates, security options
- Goals: awareness, security culture, traceability
9. Improve Memory Safety
- Eliminate pointer use in the API, replace with smart pointers
- Automatic verification to prevent new pointer additions
Work packages
Tasks have been divided into 3 work packages, according to their priority, difficulty, and required budgets. It also corresponds to 3 funding steps.
The timeline for the project is :
- Start actions as early as January 2025
- Progress based on funding availability, Work Packages A, B and C in this order.
- Work Package A Completion target : end of 2025
- Work Package B and C : 2025-2026
- CRA application deadline : from 2027
Here is the current funding status for the project and Work Packages.
➡️ Make it progress, pledge !
Work Package A
Security Foundations
290 000 €
- A.1 Code Analysis and Dependency Management
- Budget: €50,000
- Difficulty: Medium
- Priority: High
- Integration of static analysis tools (e.g., SonarQube)
- Dependency scanner implementation (e.g., OWASP Dependency-Check)
- Production of SBOM
- CI/CD pipeline integration
- A.2 Build Reproducibility
- Budget: €45,000
- Difficulty: Hard
- Priority: High
- Standardized Docker configurations for Linux
- Automation scripts for reproducible builds
- A.3 Binary and Docker Image Signing
- Budget: €35,000
- Difficulty: Easy
- Priority: High
- Acquisition of code signing certificates
- Automation of signing in the CI/CD pipeline
- A.4 GitHub Processes and Contribution Management
- Budget: €35,000
- Difficulty: Medium
- Priority: High
- Creation of a dedicated security team
- Implementation of secret protection
- Adoption of a Developer Certificate of Origin (DCO)
- A.5 Plugin Security and specific Audit
- Budget: €45,000
- Difficulty: Medium
- Priority: High
- Development of automatic validation rules
- Improved plugin approval processes
- Targeted security audits of the plugin system
- A.6 Basic Training and Documentation
- Budget: €15,000
- Difficulty: Easy
- Priority: High
- Creation of a webpage detailing security processes
- Development of essential security guides
- A.7 Advanced Access Management
- Budget: €15,000
- Difficulty: Medium
- Priority: High
- Expiration policies for core-committer rights
- Access management systems for developers
- A.8 Making Improve Memory Safety
- Budget: €50,000
- Difficulty: Hard
- Priority: High
- Additional benefit: improved code stability and reduced crashes and memory leaks
Work Package B
Strengthening and Compliance
190 000 €
- B.1 Advanced Code Analysis
- Budget: €25,000
- Difficulty: Hard
- Priority: Medium
- Implementation of dynamic analysis tools
- Adoption of fuzz testing
- B.2 Advanced Vulnerability Management
- Budget: €30,000
- Difficulty: Medium
- Priority: Medium
- Deployment of a tool to register and track CVEs
- Definition of a vulnerability management process
- B.3 Optimization of Windows Installation System
- Budget: €35,000
- Difficulty: Hard
- Priority: Medium
- Creation of MSIX packages for the Windows Store
- Detailed documentation of the build process
- B.4 Security Analysis of Artifacts
- Budget: €40,000
- Difficulty: Medium
- Priority: Medium
- Implementation of Docker image analysis
- Integration of ClamAV for malware detection
- B.5. Extended Training and Visibility
- Budget: €60,000
- Difficulty: Easy
- Priority: Medium
- Organization of security workshops
- Development of online training modules
- Enhancement of visibility for security actions
- Community management
Work Package C
Continuous improvement and Advanced research
170 000 €
- C.1 Comprehensive External Security Audit
- Budget: €70,000
- Difficulty: Hard
- Priority: Low
- Thorough architectural analysis
- Deep security testing for QGIS Desktop and Server
- Security audit of the plugins.qgis.org website
- C.2 Advanced Code and Security Analysis
- Budget: €60,000
- Difficulty: Hard
- Priority: Low
- Implementation of advanced analysis techniques
- Research and development on GIS-specific security
- C.3 Community management
- Budget : €40000
- Difficulty: Easy
- Priority: Medium
- Training and training material for developers and users
- Help the community raise its security awareness
- Help other OSGeo projects implement their own security projects
Partners
Pledge !
You can contribute to this project by funding it directly.
🎉 Through your contribution, QGIS will be able to improve
➡️ Fill in the form below to indicate your organization details and the amount you want to pledge.
We accept contributions starting from 5000€.
Funders will be listed as a sponsor on this page and cited in all public communications. If you do not want to publicize your support, please mention it in the pledge form.
Should you want to help QGIS with less than 5K€, we encourage you to make a donation to QGIS.org instead.
Oslandia manages the administrative side of the project, centralizing payments. Once your pledge sent, we will send you an invoice that you can pay through wire transfer. Please carefully mention your organization details in the form, for us to send you a correct invoice : full address, company ID, VAT number and any other important information. You can also send us a formal order, with “QGIS Security project” as item. If you have specific administrative requirements to be able to contribute, do not hesitate to get in touch.
🎉 Through your contribution, QGIS will be able to improve
and become the best and most secure GIS software ever ! Thank you ! 🙏
⬇️Pledge form ⬇️
Fill in the form below with required details for us to send you an invoice
Sponsors
The following organizations already contributed to the project
Platinum sponsors ( > 80 000€ )
Gold sponsors ( > 40 000€ )
Silver sponsors ( > 20 000€ )
Bronze sponsors ( > 5000€ )
Frequently Asked Questions
- 💬 How will I realize my pledge ?
- 👉 Oslandia will send you an invoice, and you can pay through wire transfer
- 💬 Can I become a partner ?
- 👉 Yes, if you intend to support the project, help raise funds, contribute time, efforts, expertise, get in touch !
- 💬 How will security managed after this project ?
- 👉 QGIS.org and QGIS maintainers, developers, will continue to tackle security issues with new processes and tooling in place. These efforts will require continuous funding, and we encourage you to become a QGIS sustainable member to support the security work after this project has been completed.
