We actively support the following versions with security updates:
| Version | Supported | Status |
|---|---|---|
| 1.7.x | ✅ | Current stable release |
| 1.6.x | ✅ | Maintenance mode (critical fixes only) |
| < 1.6 | ❌ | No longer supported |
We take the security of NoID Privacy seriously. If you discover a security vulnerability, please follow these steps:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues via:
- Email: security@noid-privacy.com
- Subject Line: "SECURITY: [Brief Description]"
- Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Your contact information for follow-up
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline:
- Critical: 7-14 days
- High: 14-30 days
- Medium: 30-60 days
- Low: 60-90 days
We appreciate security researchers who follow responsible disclosure:
- Your name (if desired) will be credited in the security advisory
- You'll be listed in our SECURITY_HALL_OF_FAME.md
- We'll link to your website/GitHub profile (with permission)
In Scope:
- Privilege escalation vulnerabilities
- Code execution vulnerabilities
- Authentication/authorization bypasses
- Information disclosure (sensitive data)
- Cryptographic weaknesses
- Denial of service (if exploitable)
Out of Scope:
- Social engineering attacks
- Physical attacks
- Issues requiring physical access to victim's device
- Issues already documented as known limitations
- Third-party dependencies (report to upstream)
When using NoID Privacy:
- Always Backup: Create system backup before applying
- Test First: Run in VM before production
- Review Code: Understand what the script does
- Verify Integrity: Check file hashes before running
- Keep Updated: Use latest version for security fixes
- Admin Rights: Only run with Administrator privileges when necessary
- Trusted Sources: Only download from official repository
This project implements multiple security layers:
| Feature | Purpose | Status |
|---|---|---|
| Script Signing | Verify script authenticity | Recommended |
| Mutex Lock | Prevent concurrent execution | ✅ Implemented |
| Error Handling | Safe failure modes | ✅ Implemented |
| Backup System | Rollback capability | ✅ Implemented |
| Verbose Logging | Audit trail | ✅ Implemented |
| Privilege Checks | Admin rights validation | ✅ Implemented |
We welcome security audits from the community. If you'd like to perform a security audit:
- Contact us beforehand
- Focus on code review and functionality testing
- Share findings privately first
- Allow reasonable time for fixes before public disclosure
Current Limitations:
- Standalone Focus: Not designed for domain environments
- Third-Party AV: May conflict with some antivirus products
- Hardware Requirements: Some features require TPM 2.0
- Reversibility: Some changes (Recall, Copilot) are permanent
- Manual Steps: Certain features require post-script configuration
Documented Issues:
- See KNOWN_ISSUES.md for current limitations
- See CHANGELOG.md for fixed vulnerabilities
When a security issue is confirmed:
- Acknowledgment: Issue reporter receives confirmation
- Investigation: Team investigates and validates
- Fix Development: Patch is developed and tested
- Security Advisory: CVE is requested (if applicable)
- Release: Patch is released with security notes
- Notification: Users are notified via GitHub Security Advisory
- Public Disclosure: After fix is available (coordinated disclosure)
For security concerns:
- Email: security@noid-privacy.com
- PGP Key: [Available on request]
For general issues:
- GitHub Issues: Report here
- General Support: support@noid-privacy.com
Last Updated: October 27, 2025
Version: 1.0
We thank the following security researchers for responsible disclosure:
No security vulnerabilities have been publicly disclosed at this time.
Thank you for helping keep NoID Privacy secure! 🙏