Gov 2.0 guide to Plone

Plone is a secure and flexible open source content management system (CMS) for building all types of web sites and web applications. Supported by a vibrant developer community that is ranked in the top 2% of open source projects worldwide, a large number of domestic and international public sector organizations, including the Federal Bureau of Investigation, rely on Plone to power their digital communications. Plone’s widespread adoption by high-profile users is due in no small measure to the project's open source codebase and unrivaled security record. These attributes continue to differentiate Plone from other CMS solutions. Given the increased importance of cyber security for all levels of government, one can expect to see continued (if not increased) adoption of Plone in the public sector despite strong competition from other open source and proprietary rivals.


According to the Common Vulnerabilities and Exposures Database maintained by MITRE Corporation, the security record of Plone is unrivaled. In fact, the number of high severity, publicly known vulnerabilities for Plone is orders of magnitude lower than all three of its main open source rivals:

Source: Common Vulnerabilities and Exposures List, MITRE Corporation

For many government organizations, Plone’s proven security track-record is the most important feature highlighted during CMS selection.


While security often takes center stage when one mentions Plone, the vibrancy and size of its developer and user community are themselves important features of the solution. Despite periods of increased and decreased interest in the project over its ten year life cycle, Plone maintains one of the strongest open source developer communities. At present, Plone’s community is massively global, with over 300 solution providers in 57 countries. There also are dozens of official local user groups and hundreds of unofficial ones thanks to Plone’s ongoing support of 40 languages. Finally, the project has strong ties to the wider Python and JavaScript (including the JQuery Javascript Framework) communities due to its heavy reliance on these languages.

Other Features

The release of the latest version of Plone in 2010 provided a major reinvigoration for the project. While continuing to emphasize security and usability, Plone 4 delivered big improvements in raw speed and scalability. These features help Plone better respond to the needs of complex web site and web application uers – the segment of the CMS market where Plone excels.

Real-World Implementations

Perhaps no better driver exists for the adoption of an emerging software solution than real-world examples of successful implementations for comparable requirements. Since its release almost a decade ago, Plone has secured a number of high-profile public sector organizations. These implementations demonstrate its ability to meet even the most complex functional and security requirements. Plone also has been adopted by thousands of local and state governments, nonprofits, and other public sector organizations. These implementations illustrate how organizations big and small can leverage Plone to build beautiful websites that meet a broad spectrum of user needs and security considerations.

Brazilian Government

The Government of Brazil leveraged Plone to power Portal Brasil, the government’s main web portal. Plone also is being used by both the President and the Parliament.

Federal Bureau of Investigation

The FBI has made a major investment in Plone. Its latest redesign demonstrates its ongoing commitment to the platform. It also illustrates the ability for Plone to support a wide variety of functional requirements through native support or integration.

U.S. Department of Energy

The Department of Energy required a web-based delivery for mission-critical documents called directives. Their emphasis was on security, sophisticated search, versioning, and role management rather than asthetics. They selected Plone for their CMS to meet their enterprise document management needs.

European Environment Agency

The EEA is responsible for producing and disseminating important environmental information to EU citizens. The organization selected Plone as its CMS of record for its main external website.

City of Bern

Bern is one of the largest cities in Switzerland. The city turned to Plone for their main website. This implementation demonstrates Plone’s potential to meet local government needs.


The National Library of Congress of Chile built an integrated website platform based upon Plone. The platform integrates with Oracle, Autonomy, D-Space, and PostgreSQL. It helps the government advance open government as well as open data.

Plone and the National Library of Congress of Chile from Matt Hamilton on Vimeo.

Unites Nations

The United Nations relies on Plone to power a number of the organization’s websites, including UNDP Asia-Pacific Development Implementation Programme and the UN Asian and Pacific Training Center for Information and Communication Technology for Development.

New Zealand

The Companies Office in New Zealand turned to Plone to meet its external communications requirements.

South Africa

The Department of Science and Technology funds a premier research facility, named SAEON, that establishes and maintains nodes (environmental observatories, field stations or sites) linked by an information management network to serve as research and education platforms for long-term studies of ecosystems. The organization’s website is built using Plone.

Nordic Council

The Nordic Council is a major intergovernmental forum that facilitates engagement between Nordic countries. The Council chose Plone for their main website.


About Michael Walsh

Michael Walsh is a well known writer and speaker on open source and proprietary software. In addition to working at Microsoft and in Open Source Communities like MapBox, Michael previously served as a regular contributor to TechNet Magazine. Presently, Michael is completing Post-MA classwork at The Johns Hopkins University SAIS. Feel free to contact him at

9 Responses

  1. Avatar Mike Walsh

    One point of elaboration here on the CVE data. It is not meant to serve as a analytical construct whereby the quantity of vulnerabilities is directly proportional to the security of the product. Therefore, one should not derive that 1 vulnerability for one product to 3 vulnerabilities for another means that the former is three times more secure. A much deeper level of analysis must be conducted upon the vulnerabilities, including differentiation between maintained and contributed code. There also needs to be a better understanding of the types of vulnerabilities and whether there is redundancy in the numbers for certain products. The CVE data therefore is meant to illustrate the strong security record of Plone not the weak security record of the other platforms. While it would be great to have a deeper level of analysis, a security expert would need to conduct such an analysis and I have not seen it on the web. If you have seen anything of this sort, please post it here. :)

    Also, I was provided the following link in relation to this article:,-Joomla!-plug-in-vulnerabilities. It is beyond the scope of this article to tackle the issues presented in this link so I present it with no preconceived opinion. That said, I do stand-by the aforementioned caution: a deeper level of analysis is required to fully understand the security profiles of the main OSS CMS products. The larger open government movement would benefit from such an endeavor by an objective third party. Until such a study is conducted, individuals can use the CVE data to misrepresent differences between OSS CMS products as well as between OSS and proprietary CMS products. This would not be good for the open government community as all of the OSS CMS products presented in this article are valuable solutions for specific use cases.

  2. Avatar Mark

    I’m curious how you arrived at your Severe Vulnerabilities graph. Since the source link only lands us at the top level of the CVE site, I looked around for a while but couldn’t find the a date-based listing using the search, or a countable listing of severe vulnerabilities that could make up the graph. Would you please tell us how you arrived at the graph and/or provide the full link to where the source information is found? Thank you in advance!

  3. […] your company needs a highly-functional intranet or website that is very secure (did we mention that the FBI uses Plone).  For more in-depth information about the functionality of Plone, take a lot at the official […]


This site uses Akismet to reduce spam. Learn how your comment data is processed.