Zooniverse Security

The Zooniverse takes very seriously the security of our websites and systems, and protecting our users and their personal information is our highest priority. We take every precaution to ensure that the information you give us stays secure, but it is also important that you take steps to secure your own account, including:

• Do not use the same password on different websites. The password you use for your Zooniverse account should be unique to us.
• Never give your password to anyone. We will never ask you to send us your password, and you should never enter your Zooniverse password into any website other than ours. Always check your browser's address bar to make sure you have a secure connection to www.zooniverse.org.

For general advice and information about staying safe online, please visit:

• Get Safe Online
• Stay Safe Online
• US-CERT - Tips

Reporting Security Issues

The Zooniverse supports responsible disclosure of vulnerabilities. If you believe you have discovered a security vulnerability in any Zooniverse software, we ask that this first be reported to security@zooniverse.org to allow time for vulnerabilities to be fixed before details are published.

Known Vulnerabilities and Incidents

We believe it is important to be completely transparent about security issues. A complete list of fixed vulnerabilities and past security incidents is given below:

• November 13, 2022: Cross-Site Scripting Vulnerability on hosted media domains

• November 9, 2020: Cross-Site Scripting Vulnerability in Zoomapper App

• April 3, 2020: Caesar Subject Rule Effect Vulnerability

• December 11, 2018: Cross-Site Scripting Vulnerability on Project Page's External Links

• June 21, 2018: Cross-Site Scripting on Project Home Pages

New vulnerabilities and incidents will be announced via the Zooniverse blog in the "technical" category.