We take security very seriously. We welcome any peer review of our 100% open source code to ensure the information submitted through this platform or other who rely upon it is not compromised or that hacked.
In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please email disclosure@opentech.fund with details and reproduction steps. Security issues always take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.
For a list of recent security commits, check our GitHub commits prefixed with SECURITY.
This application relies upon Django's good use of the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web tend to agree that PBKDF2 is a secure choice.
For more information on the security features within this application, please see Security in Django, which includes information on:
- Cross site scripting (XSS) protection
- Cross site request forgery (CSRF) protection
- SQL injection protection
- Clickjacking protection
- SSL/HTTPS
- Host header validation
- Session security
- User-uploaded content
- Additional security topics