We take security very seriously at the Open Technology Fund. We welcome any peer review of our 100% open source code to ensure the information submitted through this platform or other who rely upon it is not compromised or that hacked.
In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please use our vulnerability disclosure program or particpate in our bug bounty program at HackerOne to provide details and repro steps and we will respond ASAP. If you prefer not to use Hacker One, email us directly at [email protected]
with details and repro steps. Security issues always take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.
For a list of recent security commits, check our GitHub commits prefixed with SECURITY.
This application relies upon Django's good use of the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web tend to agree that PBKDF2 is a secure choice.
For more information on the security features within this application, please see Security in Django, which includes information on:
- Cross site scripting (XSS) protection
- Cross site request forgery (CSRF) protection
- SQL injection protection
- Clickjacking protection
- SSL/HTTPS
- Host header validation
- Session security
- User-uploaded content
- Additional security topics