Security Analysis of Open Source Software

The National Test Institute for Cybersecurity NTC and the National Cyber Security Centre (NCSC) have conducted a pilot project to test two open source software solutions TYPO3 and QGIS for security vulnerabilities. Vulnerabilities were found in both products, which have since been fixed by the developer community. The pilot project has shown that targeted testing can strengthen the security of open source software (OSS) and increase Switzerland's cyber resilience. The NCSC is currently examining how security testing of OSS can be established on a permanent and structured basis in the future.

Read the full security reports with the technical details on QGIS and TYPO3. 

Open source software (OSS) is now a central component of digital infrastructure in Switzerland. The source code of OSS is publicly accessible and can be viewed, further developed and improved by the developer community worldwide. According to a study by Bern University of Applied Sciences, 97 per cent of public administration, education, healthcare and industry organisations use OSS in at least one area. The economic significance of OSS is correspondingly high. However, the spread of open source software also brings with it new challenges. Regular and structured security checks are not always carried out, and given the widespread use of OSS, vulnerabilities can quickly have far-reaching consequences for numerous organisations. 

A pilot project with various participants

Aware of these risks, the National Cyber Security Centre (NCSC) and the National Test Institute for Cyberssecurity NTC conducted a pilot project on the security testing of open source software from November 2024 to June 2025. The aim was to technically test two OSS products that are widely used and relevant in public administration, TYPO3 and QGIS, identify vulnerabilities, and work with the developer community to fix them. The products to be tested were selected with the involvement of security officers from the federal government, cantons, and communes. The NTC carried out the technical analysis, while the NCSC was responsible for coordinating and communicating the vulnerabilities as part of the Coordinated Vulnerability Disclosure (CVD) process.

Taking a closer look at TYPO3 and QGIS

TYPO3 is a content management system (CMS) for creating and managing websites. It is primarily used in large organisations such as companies, universities and government agencies, as it is particularly well suited for complex and multilingual websites. The security test covered various versions of TYPO3 Core, as well as various extensions. A total of eight vulnerabilities were identified during the test: Two vulnerabilities in TYPO3 Core with a low severity level and six further vulnerabilities in various extensions, including one vulnerability rated as ‘critical’ and one rated as ‘high’, three rated as ‘medium’ and one rated as ‘low’.

QGIS is a geographic information system (GIS) that can be used to collect, edit, analyse and visualise spatial data. It is primarily used in environmental planning, urban planning, geography, research and by public authorities to create maps and support geodata-based decisions. The security check covered the QGIS server and the web client of the QGIS organisation (QWC2). A total of six vulnerabilities were identified: One vulnerability classified as low severity on the QGIS server and five vulnerabilities on the QGIS web client, two of which were rated as ‘high’.

All relevant security vulnerabilities were fixed by the responsible open source development teams within the 90-day deadline. The updated software versions are available for download and the technical details are documented in the test reports and the NTC’s Vulnerability Hub.

Cyber resilience in Switzerland increased

Feedback from those involved in the project has been overwhelmingly positive. The NCSC sees the pilot project as an important milestone on the path to a secure, resilient digital Switzerland. Specifically, the project has increased the transparency regarding the security of OSS, reduced the attack surface and thus strengthened cyber resilience. The pilot project also makes a concrete contribution to global cyber security. In addition, the project directly supports the implementation of the National Cyberstrategy (NCS), in particular the strategic goal of ‘Secure and available digital services and infrastructures.’

The NCSC is currently examining ways in which comparable security checks can be supported and financed in the long term. It should be noted that the security of open source software is not only a technical task, but also a social one and a decisive factor for Switzerland's digital sovereignty and resilience.

You can access the NCSC press release here.