Mobilizon takes security, privacy and user control seriously, and we want to put them front and centre of our project.
This document outlines security procedures and general policies for the Mobilizon project. Framasoft, the Mobilizon maintainer team and community take all security bugs in Mobilizon seriously. Thank you for improving the security of Mobilizon. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Mobilizon users can understand the distinctions between public data and private data/metadata on Mobilizon.
Users always know where their private data/metadata resides, who has access to it, and are able to access, export, and delete it.
Protect private user data/metadata, not just from hackers but also (as much as is possible) from other users, instance admins, community moderators, and external applications.
Secure from malicious creation, alteration or deletion of public data.
Framasoft is both a developer of open-source/free/libre self-hosted software, and a service provider with users in the European Union. As a result, we are putting user privacy, data sovereignty, and GDPR compliance into our security plans, including asking both the Framasoft community and outside hackers to review our approaches and implementations.
Mobilizon will be challenging to keep secure, as it is:
open source, both back-end and front-end
self-hosted by diverse organisations and individuals
federated (data is transmitted between different hosted instances)
This means there are more attack surfaces compared to typical proprietary, centralised platforms, but also means that hackers and even users can review every part of Mobilizon and make sure that it works as expected. This should result in more secure software, and higher trust in the application and its ecosystem.
We are committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. You can help us by following these simple guidelines:
Note : Please report security bugs in third-party modules to the person or team maintaining the module.
If you have suggestions on how this process could be improved please submit a pull request.