Kanboard vs Rize
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
Rize pivots from passive tracker to live, AI-queryable work data substrate.
Rize landed two directional moves in the last 30 days: live time-entry creation that replaces the previous batched-after-the-fact model, and a Beta MCP server that exposes time tracking data to Claude and ChatGPT for natural-language analysis. Around those, the team rebuilt the time-entry review panel and added an alternative Work Hours calculation that excludes break time the way most teams actually want. Cadence is high and the releases are coherent, not scattered.
The product is repositioning itself from 'passive tracker that classifies activity later' to 'live work-data platform other AI tools can read.' MCP integration signals Rize wants to be the data layer external assistants reach into, not a self-contained reporting app. The live-entries shift is the user-experience counterpart: data is current and editable in the moment instead of reconstructed later.
Expect the next moves to lean into the new substrate: manager-facing project-overrun alerts, budget-vs-actual dashboards, or richer outbound webhooks. A natural follow-on is broader MCP exposure (write-side actions, not just read), or a chat surface inside Rize itself.
See more alternatives to Kanboard →
See more alternatives to Rize →