How secure is the attachment uploading?

Feature Upload allows your users to attach images and certain other file types to their suggestions and comment.

Allowing public uploading of files carries some security risks. Here’s how we mitigate these risks:

• We use Cloudinary, a third-party service for uploading and storing attachments.
• Cloudinary only allows certain file types. .html, .js, and .exe files are all rejected - and most other types are rejected too - when a user attempts to upload them.
• Furthermore, we have configured Cloudinary to only accept a few whitelisted file types.
• Large files are rejected by Cloudinary
• Cloudinary scans every update for malware
• Cloudinary has upload thresholds beyond which we receive warnings
• We use additional scanning options
• No uploaded file has a URL connected to your account. Uploaded files always are accessed via the domain name https://res.cloudinary.com/. So any uploaded file never risks tarnishing your domain’s reputation.
• We regularly rotate the “public” key used by the Cloudinary file uploader.

As well as this, we review our use of Cloudinary from time to time, looking for ways to further mitigate security risks.