NTFS Manager takes security seriously. This document outlines our security policies, supported versions, and how to report vulnerabilities.
We actively support and provide security updates for the following versions:
| Version | Supported | End of Support |
|---|---|---|
| 1.0.x | β Yes (Current) | TBD |
| < 1.0 | β No | November 2024 |
Note: Only the latest stable release receives security updates. We recommend always using the most recent version.
If you discover a security vulnerability in NTFS Manager, please report it responsibly. We appreciate your efforts to improve the security of our software.
For Security Issues:
- Do NOT open a public GitHub issue
- Email us directly at:
support_ntfs@magdrivex.com.au - Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Suggested fix (if available)
- Your contact information
Subject Line Format:
[SECURITY] Brief description of the vulnerability
We are committed to addressing security issues promptly:
- Initial Response: Within 48 hours of report
- Vulnerability Confirmation: Within 5 business days
- Fix Development: 7-14 days (depending on severity)
- Patch Release: Within 21 days for critical issues
- Public Disclosure: After patch is released and users have time to update
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, privilege escalation | 24-48 hours |
| High | Data exposure, authentication bypass | 3-7 days |
| Medium | Information disclosure, DoS attacks | 7-14 days |
| Low | Minor security improvements | 14-30 days |
NTFS Manager includes several security features:
- β Input Validation: All user inputs are validated and sanitized
- β Permission Checks: Proper privilege escalation handling with PolicyKit
- β Audit Logging: Comprehensive logging of all operations
- β Secure File Operations: Safe handling of NTFS filesystem operations
- β Code Scanning: Automated security analysis with CodeQL
- β Dependency Monitoring: Automated vulnerability scanning with Dependabot
- β License Compliance: Automated license checking
We employ multiple layers of security testing:
- Static Analysis: CodeQL, Bandit, and custom security rules
- Dependency Scanning: Regular updates and vulnerability checks
- Code Review: All changes undergo security-focused review
- Automated Testing: Security test suite in CI/CD pipeline
- Keep Updated: Always use the latest version
- Download from Official Sources: Only download from GitHub releases or official repositories
- Verify Integrity: Check SHA256 checksums of downloaded files
- Use Secure Systems: Keep your Linux system and dependencies updated
- Review Permissions: Understand what permissions the software requires
- Follow Secure Coding Practices: Adhere to OWASP guidelines
- Validate All Input: Never trust user-provided data
- Use Parameterized Commands: Avoid shell injection vulnerabilities
- Handle Errors Securely: Don't expose sensitive information in error messages
- Review Security Implications: Consider security in all code changes
- CodeQL Analysis: Weekly comprehensive security analysis
- Dependency Checks: Daily security update monitoring
- Code Quality: Continuous linting and best practice enforcement
- Code Reviews: All pull requests reviewed for security implications
- External Audits: Periodic third-party security assessments (as resources permit)
Security updates are distributed through:
- GitHub Releases: Tagged releases with security fixes
- Dependabot: Automated dependency updates
- Security Advisories: Published for critical issues
- Release Notes: Detailed changelog of security fixes
Stay informed about security updates:
- GitHub Watch: Watch repository for release notifications
- Security Advisories: Enable GitHub security alerts
- Release Feed: Subscribe to release RSS feed
- Email Updates: Available for commercial license holders
We believe in responsible disclosure and will:
- Acknowledge your report promptly
- Keep you informed of progress
- Credit you in release notes (if desired)
- Coordinate public disclosure timing with you
- Not take legal action against good-faith security researchers
We maintain a list of security researchers who have helped improve NTFS Manager's security:
No vulnerabilities reported yet
Before submitting code, ensure:
- No hardcoded credentials or secrets
- All user input is validated
- SQL queries use parameterization (if applicable)
- File operations check permissions
- Error messages don't expose sensitive data
- Dependencies are up-to-date and secure
- Security tests pass
- Code review completed
- CodeQL: Advanced semantic code analysis
- Bandit: Python security linter
- Safety: Python dependency vulnerability scanner
- pip-audit: PyPI package vulnerability auditing
- Dependabot: Automated dependency updates
- Email: support_ntfs@magdrivex.com.au
- Subject:
[SECURITY] Your Issue Description - Response Time: Within 48 hours
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: Wiki
This project uses a Dual License model:
- Personal Use: Free under LICENSE-PERSONAL
- Commercial Use: Paid license required (LICENSE-COMMERCIAL)
Security updates are provided for both license types.
Last Updated: November 4, 2025
Version: 1.0
Next Review: February 2026
Thank you for helping keep NTFS Manager and its users safe!