== Preamble ==
Just after landing the [[ https://meta.wikimedia.org/wiki/Wikimedia_Italia/LimeSurvey | WMI LimeSurvey initiative ]] (T274837) in an attempt to be pro-active and propose solid Free software solutions for Wikimedia contributors, an user raised a concern about the security of the LimeSurvey software itself:
> Security issues were found the previous two times wmf looked at from my understanding and that was without doing a full security review process....
> ― K. Peachey https://lists.wikimedia.org/pipermail/wikimedia-l/2021-February/096280.html
This is not a comment we should underestimate. For example ~5 years ago the Wikimedia Foundation didn't adopt LimeSurvey also for that reason ({T109606}) and for the same reasons many other entities may adopt proprietary software like Qualtrics or Google Form, relying on the excuse of not having any credible alternative available (although there are [[ https://apps.sandstorm.io/app/wupmzqk4872vgsye9t9x5dmrdw17mad97dk21jvcm2ph4jataze0 | QuickSurvey ]] and [[ https://apps.nextcloud.com/apps/forms | nextCloud Forms ]] which may be more audited - irrelevant topic - but that anyway are not as complete as LimeSurvey and they don't try to be).
== Proposed solution ==
Do [[ https://en.wikipedia.org/wiki/Information_security_audit | security auditing ]] on LimeSurvey.
This security auditing will assure a valid alternative to Qualtrics, Google Forms or any other proprietary software, service, or [[ https://en.wikipedia.org/wiki/SaaSS | Service as a Software Sobstitute ]] may be born in the morning promising breathtaking safety thanks to the (questionable) arguments raised from these companies relying on [[ https://en.wikipedia.org/wiki/Security_through_obscurity | security through obscurity ]].
This means:
* [ ] understand what kind of security auditing has already been done on LimeSurvey
* [ ] by WMF ([[ https://lists.wikimedia.org/pipermail/wikimedia-l/2021-February/096282.html | as already requested by Faw ]])
* [ ] by [[ https://www.limesurvey.org/ | LimeSurvey GmbH ]] itself
* [ ] ...
* [X] understand who can invest to take care on the remaining
* [X] [[ https://www.ils.org/ | Italian Linux Society ]] ([related initiative](https://gitlab.com/ItalianLinuxSociety/brainstorm/-/issues/27))
* [ ] [[ https://www.limesurvey.com/ | LimeSurvey Partner Services ]] itself
* [ ] ...
* [X] `2021-04-27` provided cybersecurity economic estimate
* [X] `2021-05-12` inform LimeSurvey GmbH about our intentions
* [X] `2021-05-18` setup a fresh LimeSurvey Community Edition to be bombed
* [X] `2021-06-07` start planned cybersecurity activity
* [ ] `2021-06-11` conclude cybersecurity activity
* [] report found security bugs to LimeSurvey GmbH
* [] understand remediation strategies with upstream
* [] the world (and WMF) begins to trust LimeSurvey more again
In the meanwhile I can make sure that [[ https://www.wikimedia.it/ | Wikimedia Italia ]] will reward anyone who finds any security bug in their [[ https://meta.wikimedia.org/wiki/Wikimedia_Italia/LimeSurvey | WMI-LimeSurvey ]] instance to promote healthy cooperation for a better Internet.
NOTE: See the [[ https://meta.wikimedia.org/wiki/Wikimedia_Italia/Reporting_security_bugs | how to report a security bug in Wikimedia Italia ]].
WARNING: I remind that, anyhow, any [[ https://it.wikipedia.org/wiki/Accesso_abusivo_a_un_sistema_informatico_o_telematico | unauthorized access to a computer system is punished also by the Italian legislative system, and up to three years in prison ]]. So, if you are able to break Wikimedia Italia security measures, you are not automagically authorized to download all the administrators' emails and post them on social networks to then ask a biscuit in return from Wikimedia Italia for your magical services.