Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/SECURITY.md
NexusOne23 d8e49ddeb1 Docs: Fix markdown formatting, dates, and add framework diagram 
- README.md: Fix arrows, emojis, broken markdown (11 fixes)
- FEATURES.md: Update dates
- CHANGELOG.md: Fix Quad9 as default DNS
- CONTRIBUTING.md: Close unclosed code block
- SECURITY.md: Update date
- SECURITY-ANALYSIS.md: Translate German text to English
- assets: Add framework-architecture.png
2025-12-08 11:25:45 +01:00

5.4 KiB
Raw Blame History

Security Policy

🔒 Reporting Security Vulnerabilities

We take the security of NoID Privacy seriously. If you discover a security vulnerability, please follow responsible disclosure practices.

How to Report

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security issues via one of these methods:

  1. GitHub Security Advisory (Preferred)

  2. GitHub Discussions (Private)

    • Create a new discussion in the Security category
    • Mark it as "Private" if possible
    • Provide full details

  3. Email (Alternative)

    • Create a discussion requesting secure contact
    • We'll provide a secure communication channel

📋 What to Include

When reporting a vulnerability, please include:

  • Description: Clear description of the vulnerability
  • Impact: What can an attacker achieve?
  • Affected Versions: Which versions are affected?
  • Steps to Reproduce: Detailed reproduction steps
  • Proof of Concept: PoC code if applicable (optional)
  • Suggested Fix: If you have one (optional)

⏱️ Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 7-14 days
    • High: 14-30 days
    • Medium: 30-60 days
    • Low: 60-90 days

🎖️ Recognition

We appreciate responsible disclosure! Contributors will be:

  • Credited in the CHANGELOG (if desired)
  • Listed in the Security Hall of Fame (coming soon)
  • Eligible for swag/recognition (for significant findings)

🛡️ Security Features

NoID Privacy implements multiple security layers:

Secure by Design

  • No External Dependencies: Zero third-party DLLs or executables
  • Code Signing (Planned): Code signing for all PowerShell scripts is planned (coming soon)
  • Verification: 630+ automated compliance checks
  • Rollback: Complete backup & restore functionality

Security Hardening Applied

  • 🔐 Microsoft Security Baseline 25H2 (425 settings)
  • 🛡️ Attack Surface Reduction (19 rules)
  • 🔒 Credential Guard + VBS + HVCI
  • 🤖 AI Lockdown (Recall, Copilot, etc.)
  • 🌐 DNS-over-HTTPS with no fallback
  • 🚫 Zero-Day Protection (CVE-2025-9491 SRP)

📊 Supported Versions

Version Supported Notes
2.2.x Fully Supported Current release, 630+ settings
2.1.x ⚠️ Limited Support Upgrade to 2.2.x recommended
2.0.x Not Supported Deprecated
1.8.x Not Supported Legacy version (MIT license)

Recommendation: Always use the latest v2.x release.

🔐 Security Best Practices for Users

Before Running

  1. Verify Script Integrity

    # Check file hash (coming soon - SHA256 checksums in releases)
Get-FileHash .\NoIDPrivacy.ps1 -Algorithm SHA256

  2. Review Code

    • This is open-source - read the code!
    • Understand what changes will be made
    • Check CHANGELOG for recent changes

  3. Create Backup

    • System Restore Point
    • Full system image
    • VM snapshot (if applicable)

During Execution

  • ⚠️ Run as Administrator (required)
  • ⚠️ Disable third-party antivirus temporarily (may interfere)
  • ⚠️ Close sensitive applications
  • ⚠️ Review verification report

After Execution

  • Run verification: .\Tools\Verify-Complete-Hardening.ps1
  • Review HTML compliance report
  • Test critical applications
  • Keep backups for 30 days

🚨 Known Security Considerations

Domain-Joined Systems

  • ⚠️ Local Group Policies may conflict with Domain GPOs
  • ⚠️ Domain GPOs override local policies every 90 minutes
  • Recommendation: Use in standalone/workgroup systems only

Third-Party Software Compatibility

  • ⚠️ ASR rules may block unknown installers
  • ⚠️ Some hardening settings may affect application functionality
  • Solution: Temporarily disable specific ASR rules (see README)

Rollback Limitations

  • ⚠️ Bloatware removal is partially reversible (policy-based on 25H2+ Enterprise/Education)
  • ⚠️ Some changes require manual reverification after restore
  • Solution: Test in VM first, maintain system backups

📚 Security Resources

🔍 Code Quality

Testing & Validation

  • PSScriptAnalyzer: Available for static analysis
  • Pester Tests: Unit and integration tests available in Tests/ directory
  • Verification: 630+ automated compliance checks in production

Run tests yourself:

.\Tests\Run-Tests.ps1

Vulnerability Disclosures

No security vulnerabilities reported to date.

📄 License & Legal

  • License: GNU General Public License v3.0
  • Disclaimer: Use at your own risk. No warranties provided.
  • Compliance: Implements Microsoft-recommended security settings

For licensing questions, see LICENSE or open a Discussion.

Last Updated: December 8, 2025
Policy Version: 1.1