We take the security of NoID Privacy seriously. If you discover a security vulnerability, please follow responsible disclosure practices.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues via one of these methods:
-
GitHub Security Advisory (Preferred)
- Go to: https://github.com/NexusOne23/noid-privacy/security/advisories
- Click "Report a vulnerability"
- Fill out the private security advisory form
-
GitHub Discussions (Private)
- Create a new discussion in the Security category
- Mark it as "Private" if possible
- Provide full details
-
Email (Alternative)
- Create a discussion requesting secure contact
- We'll provide a secure communication channel
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: What can an attacker achieve?
- Affected Versions: Which versions are affected?
- Steps to Reproduce: Detailed reproduction steps
- Proof of Concept: PoC code if applicable (optional)
- Suggested Fix: If you have one (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 7-14 days
- High: 14-30 days
- Medium: 30-60 days
- Low: 60-90 days
We appreciate responsible disclosure! Contributors will be:
- Credited in the CHANGELOG (if desired)
- Listed in the Security Hall of Fame (coming soon)
- Eligible for swag/recognition (for significant findings)
NoID Privacy implements multiple security layers:
- β No External Dependencies: Zero third-party DLLs or executables
- β Code Signing (Planned): Code signing for all PowerShell scripts is planned (coming soon)
- β Verification: 630+ automated compliance checks
- β Rollback: Complete backup & restore functionality
- π Microsoft Security Baseline 25H2 (425 settings)
- π‘οΈ Attack Surface Reduction (19 rules)
- π Credential Guard* + VBS + HVCI (*Enterprise/Education only)
- π€ AI Lockdown (Recall, Copilot, etc.)
- π DNS-over-HTTPS with no fallback
- π« Zero-Day Protection (CVE-2025-9491 SRP)
| Version | Supported | Notes |
|---|---|---|
| 2.2.x | β Fully Supported | Current release, 630+ settings |
| 2.1.x | Upgrade to 2.2.x recommended | |
| 2.0.x | β Not Supported | Deprecated |
| 1.8.x | β Not Supported | Legacy version (MIT license) |
Recommendation: Always use the latest v2.x release.
-
β Verify Script Integrity
# Compare against CHECKSUMS.sha256 from GitHub Release Get-FileHash .\NoIDPrivacy.ps1 -Algorithm SHA256 # Or verify the entire release folder: Get-ChildItem *.ps1, *.psm1 | ForEach-Object { "$((Get-FileHash $_.FullName -Algorithm SHA256).Hash.ToLower()) $($_.Name)" }
Each GitHub release includes a
CHECKSUMS.sha256file with SHA256 hashes of all release files. -
β Review Code
- This is open-source - read the code!
- Understand what changes will be made
- Check CHANGELOG for recent changes
-
β Create Backup
- System Restore Point
- Full system image
- VM snapshot (if applicable)
β οΈ Run as Administrator (required)β οΈ Disable third-party antivirus temporarily (may interfere)β οΈ Close sensitive applicationsβ οΈ Review verification report
- β
Run verification:
.\Tools\Verify-Complete-Hardening.ps1 - β Review HTML compliance report
- β Test critical applications
- β Keep backups for 30 days
β οΈ Local Group Policies may conflict with Domain GPOsβ οΈ Domain GPOs override local policies every 90 minutes- β Recommendation: Use in standalone/workgroup systems only
β οΈ ASR rules may block unknown installersβ οΈ Some hardening settings may affect application functionality- β Solution: Temporarily disable specific ASR rules (see README)
β οΈ Bloatware removal is partially reversible (policy-based on 25H2+ Enterprise/Education)β οΈ Some changes require manual reverification after restore- β Solution: Test in VM first, maintain system backups
- Microsoft Security Baseline: https://aka.ms/securitybaselines
- Attack Surface Reduction: https://aka.ms/ASRrules
- Windows Security Documentation: https://learn.microsoft.com/windows/security/
- PSScriptAnalyzer: Available for static analysis
- Pester Tests: Unit and integration tests available in
Tests/directory - Verification: 630+ automated compliance checks in production
Run tests yourself:
.\Tests\Run-Tests.ps1No security vulnerabilities reported to date.
- License: GNU General Public License v3.0
- Disclaimer: Use at your own risk. No warranties provided.
- Compliance: Implements Microsoft-recommended security settings
For licensing questions, see LICENSE or open a Discussion.
Last Updated: December 22, 2025
Policy Version: 1.1