Your Films Are Safe Here: Cinemata Passes Independent Security Audit

Main-sec-audit

What a penetration test means for the filmmakers, curators, and advocates who trust Cinemata with their work

By King Catoy, Cinemata Development Lead

There's a question that doesn't get asked enough when we talk about video platforms — who can access your films, and under what conditions?

For many filmmakers uploading to YouTube or Facebook, the honest answer is: the platform can, advertisers can, and, in some countries, governments can request it too. For filmmakers, alternative media outfits, community archivists, human rights defenders, and climate justice advocates who trust Cinemata with their work, the answer should be different — and now we have independent evidence to back that up.

The Open Technology Fund (OTF) recently published the results of a penetration test of Cinemata, conducted by Assured, a professional security consultancy based in Gothenburg, Sweden. The full report is publicly available on the OTF website. This article is our attempt to explain what that audit actually means for our community-driven platform.

What Is a Security Audit, Exactly?

When a filmmaker submits a film to a platform, they're trusting that site with something real: footage that may be sensitive, identities that may be at risk, and stories that may be suppressed elsewhere.

A security audit — or, more specifically, a penetration test — is the process of hiring expert security professionals to actively attempt to breach a platform. Not to cause harm, but to find the weaknesses before someone with bad intentions does. Think of it like hiring a locksmith to try every window and door of your house, then fix everything that opens when it shouldn't.

Assured's team did exactly that with Cinemata—testing the web application, the backend systems, server configuration, and everything in between. Given that Cinemata serves social issue filmmakers, video activists, and human rights defenders, they paid special attention to privacy risks — such as whether IP addresses were unnecessarily logged, whether viewing history could expose a user, and whether private films could be accessed by people who shouldn't see them.

What They Found — and What We Fixed

Audit_report_detail

We must acknowledge that the audit was not a flawless report from the outset. The initial assessment identified 26 security issues, including 1 critical and 5 high-risk vulnerabilities. This sobering list demands our utmost attention and action.

The identified issues encompassed various types of vulnerabilities, including cross-site scripting that could facilitate account takeovers, flaws that could expose private media and metadata, and logging practices that recorded IP addresses in a way that created unnecessary privacy risks. For a platform that hosts users like journalists documenting human rights abuses and filmmakers working in politically sensitive environments, these were not mere technical concerns. They represented genuine risks to real individuals.

But here's what matters most—as of the publication of the OTF report, every single one of the 26 findings has been fixed and independently verified. The Assured team conducted multiple rounds of verification to confirm this. Not a patch job but a thorough remediation.

What Changed for You

If you upload films to Cinemata, or use the platform to curate or screen work, here's what the audit process produced in concrete terms:

  • Your private films are actually private. Before the audit, there were authorisation flaws that could have exposed private media and its metadata to unauthorised users. Those are now closed.

  • Administrator accounts are more secure. Cinemata now requires Multi-Factor Authentication (MFA) for all site administrators — meaning anyone with access to the archive of 7,000+ films must verify their identity with a second device, not just a password. This is the same standard used by banks and healthcare systems. It means that even if an administrator's password were somehow compromised, the account cannot be accessed without that second layer of verification.

  • The platform is hardened against common attacks. Cross-site scripting protections, stronger password requirements, improved HTTPS security headers — these are the unglamorous but essential layers that make a platform harder to exploit.

Why This Audit Happened — A Brief History

Cinemata started in 2021 and is built on MediaCMS — an open-source Django video platform created by Markos Gogoulos and his team. Markos and the MediaCMS project laid the foundation for Cinemata, and we're grateful for that.

By 2025, it became clear that Cinemata needed its own development path. The platform was hosting increasingly sensitive content from across the region. Our users — human rights defenders in Myanmar, alternative media outlets in the Philippines, filmmakers documenting issues that repressive governments would prefer to keep hidden — needed a platform purpose-built for their security needs, not just adapted from a general-purpose one.

We applied to OTF's Red Team Lab, which funds independent security audits for internet freedom tools. OTF matched us with Assured, and what began as a security check-up became a five-month intensive rethinking of how Cinemata was built.

That process also accelerated something we'd been building toward: a dedicated team of Southeast Asian developers who understand not just the technology, but the region's political context. Adryan Eka Vandra (Indonesia), Jay Cruz (Philippines), Jeremy Valentino Manik (Indonesia), and security and infrastructure specialist Ashraf Haque (Bangladesh) are now the core team advancing CinemataCMS.

What Comes Next

The security audit establishes a baseline, and our developers are committed to maintaining it through regular updates, ongoing reviews, and the kind of careful, deliberate development that advocacy platforms require.

If you're a filmmaker with work on Cinemata, we hope this gives you more confidence in the platform's commitment to protecting what you've shared. If you're an organisation considering CinemataCMS for your own archive or film festival, we'd welcome that conversation.

The films you make matter. The platform that holds them should be worthy of that trust.

Read the full OTF security audit report: https://www.opentech.fund/security-safety-audits/cinemata/

Assured's blog post on the penetration test: https://www.assured.se/posts/pentest-report-cinemata

CinemataCMS on GitHub: https://github.com/EngageMedia-video/cinematacms