I am trying to introduce limesurvey in a large healthcare organisation to hold (at least initially) anonymised non-confidential data. Patient satisfaction surveys, educational events feedback etc. In making a business case I need to evaluate risks.
What could I say about limesurvey security?
I plan initially to run it on an LAMP virtual machine in company's DMZ as I have experience running it on my machine and hosted on a generic hosting account, but later they may want to put it on their main web server. I need to have JSON-RPC enabled - I will be using R (cloudyr/limer) for creation of reports.
So far I know only that there are security updates and there is a mechanism for cross-site scripting detection.
It would be very useful if I could get some information about how limesurvey team plan for and address any security issues. Perhaps security policy? And maybe, if there is information on that, how other organisations that use limesurvey have been satisfied with security or addressed any security issues.
Well LimeSurvey is used by a lot of institutions, and many security companies scan LS code and report any issue they found. We fix the issues as soon as they are reported and we release immediately after that. Those release are tagged as "security release" and shown as security update in the comfortUpdate.
Thanks, that is very helpful. What kind of security companies scan LS code? Maybe some examples, or references to the process? Are they security research companies? I am asking because of my ignorance, I thought why would a company scan other party's code for vulnerabilities. Many thanks.
r0berts
The topic has been locked.
LouisGac
Visitor
5 years 9 months ago - 5 years 9 months ago#170406by LouisGac
