We take the security of NoID Privacy for Linux seriously. If you discover a security vulnerability, please follow responsible disclosure practices.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues via one of these methods:
-
GitHub Security Advisory (Preferred)
- Go to: https://github.com/NexusOne23/noid-privacy-linux/security/advisories
- Click "Report a vulnerability"
- Fill out the private security advisory form
-
GitHub Discussions (Alternative)
- Create a new discussion in the Security category
- Mark it as "Private" if possible
- Provide full details
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: What can an attacker achieve?
- Affected Versions: Which versions are affected?
- Steps to Reproduce: Detailed reproduction steps
- Proof of Concept: PoC code if applicable (optional)
- Suggested Fix: If you have one (optional)
| Severity | Acknowledgement | Fix Target | Max Resolution |
|---|---|---|---|
| Critical | 24 hours | 7 days | 14 days |
| High | 48 hours | 14 days | 30 days |
| Medium | 7 days | 30 days | 60 days |
| Low | 7 days | 60 days | 90 days |
We appreciate responsible disclosure! Contributors will be:
- Credited in the CHANGELOG (if desired)
- Listed in the Security Hall of Fame (coming soon)
NoID Privacy for Linux is designed with security in mind:
-
β Read-Only: The script only reads system state β it never modifies your system
-
β Pure Bash core: No Python, Ruby, Node.js, or compiled binaries. Uses standard Linux utilities (most pre-installed) where needed.
-
β No Telemetry, No Analytics, No Phone-Home: Zero data collected about you or your system
-
β οΈ Network leak-tests run by default: Three sections issue 3rd-party DNS/HTTP requests to detect IP/DNS leaks:- Section 5 (
vpn):curl detectportal.firefox.com(Mozilla),curl ifconfig.me(Cloudflare-fronted) - Section 5 (
netleaks):dig whoami.akamai.net(Akamai) - Section 22 (
interfaces):dig google.com(Google)
These are inherent to leak-testing β you can't test for an IP leak without contacting an external service. For a fully offline audit, use:
sudo bash noid-privacy-linux.sh --skip vpn --skip interfaces --skip netleaks
- Section 5 (
- β Single File: One script, easy to read and audit
- β Open Source: Every line is inspectable on GitHub
- β No Obfuscation: Plain Bash, no encoded/minified code
- β Deterministic: Same system state = same output
| Version | Supported | Notes |
|---|---|---|
| 3.6.5 | β Fully Supported | Current release β ARP state-breakdown math fix (F-361, supersedes F-352) + script-wide grammar polish (F-362): _plural() helper, 19 (s)-pattern sweep, F-328 subject-verb agreement |
| 3.6.4 | β Supported | Live-Audit Self-Review (10 detection-accuracy fixes F-350..F-360): PRIMARY_IFACE UP-state preference, mic-detection accuracy, ARP state-naming, orphan-sub-header fallbacks, squashfs/Flatpak message accuracy, webcam dedup, banner clarification |
| 3.6.3 | β Supported | ausearch hang-fix on Fedora 44 (F-349) + Anaconda WebUI RPM-verify exclusion (F-348) |
| 3.6.2 | β Supported | Hardening Posture rebrand, capability layer, BATS test-suite, 11-pattern API-lint, CIS L1/L2/STIG mapping, HSI integration, AIDE last-run authoritative (F-337), find-performance via -prune (F-338), hardened-distro false-positive fixes (F-343..F-348) |
| 3.6.0β3.6.1 | β Supported | Earlier 3.6 series β upgrade to 3.6.5 recommended |
| 3.5.x | β Supported | DE dispatcher (KDE/XFCE/MATE/Cinnamon), exit codes, signal handling, ShellCheck-clean β upgrade to 3.6.5 recommended |
| 3.4.x | Upgrade to 3.6.5 recommended | |
| 3.3.x | Upgrade to 3.6.5 recommended | |
| 3.1.x | β End of Life | Upgrade to 3.6.5 |
| 2.0.x | β End of Life | Upgrade to 3.6.5 |
| 1.x | β Not Supported | Legacy version |
Recommendation: Use v3.6.5.
-
β Review the Code (most important)
# It's one file in pure Bash β read it! less noid-privacy-linux.shThis is the only meaningful integrity check. Don't trust hashes from untrusted sources β read the code yourself.
-
β Check the Source
- Download only from the official GitHub repository
- Verify the URL:
https://github.com/NexusOne23/noid-privacy-linux - For CI/CD usage: pin to a specific version (
@v3.6.5), never@main
-
β Verify against the GitHub repository commit hash
# The script is one file in pure Bash. Verify you're getting it from # the official repo and inspect the commit history: git log --oneline noid-privacy-linux.sh | head -5 # Or check the release tag against the live GitHub view: # https://github.com/NexusOne23/noid-privacy-linux/releases
We do NOT publish SHA256 sums separately β the canonical integrity check is the GitHub commit/tag hash itself. Code review is the meaningful audit; hash-comparison from untrusted sources adds nothing.
β οΈ Requires root access (sudo) for comprehensive system checks- β The script only reads β it does not modify any files or settings
- β All checks use standard Linux utilities (sysctl, ss, systemctl, etc.)
- β
Review the findings and fix issues manually or with AI assistance (
--ai) - β Re-run periodically to verify your hardening holds
- β Share reports with your team (no sensitive data in output by default)
β οΈ The script requiressudoto read certain system files (e.g.,/etc/shadowpermissions, firewall rules)- β Root access is used for reading only β no writes, no modifications
- β
The most reliable verification is human review: the script is one file
in plain Bash. Open it in
lessand check what it does.
β οΈ The audit output contains details about your system's security posture- β Do not share raw output publicly if it reveals sensitive configuration
- β
The
--jsonoutput is designed for automated processing, not public sharing
- ShellCheck: clean at
--severity=style(the strictest level) β see.shellcheckrcfor the project-wide rationale on SC2059 (color-format strings) and SC2329 (callback dispatch / signal traps). The CI gate enforces--severity=warning. - API-Layer Lint:
scripts/lint-api-usage.shenforces 11 anti-regression patterns covering bug classes β direct firewalld API bypassing capability layer,systemctl is-masked(non-existent verb),grep -ron symlinked dirs, barepass()/fail()/warn()/info()reintroductions,chage -lwithoutLC_ALL=C, hardcoded VPN-iface regex,df -T NR==2wrap-vulnerable patterns,fwupdmgr/bluetoothctlwithoutLC_ALL=C,((var<op>))arithmetic-command counters that bomb underset -e(Pattern 9, all++/--/+=/-=/*=//=/%=forms),systemd-analyze/virsh/resolvectl/freewithoutLC_ALL=C(Pattern 10,free -flagforms covered), and unanchoredgrep nameserveron resolv.conf (Pattern 11, catches commented entries reported as active DNS servers). - BATS unit tests:
tests/unit/covers the bug-pattern classes viabatsrunner againsttests/fixtures/. - bash -n: Syntax validation in CI across Ubuntu 22.04/24.04,
Fedora 42/43/44, Debian 12, and Arch Linux (7-distro matrix).
Plus a real audit-smoke test job that runs the audit on Ubuntu with
--offlineand validates JSON output parses. - Audit-Locale Matrix: runs the audit under
en_US,de_DE,fr_FRlocales to catch the locale-bug class (chage/fwupdmgr/bluetoothctltranslatable labels). - Manual Review: Every PR is reviewed for security implications.
Run checks yourself:
# Syntax check
bash -n noid-privacy-linux.sh
# ShellCheck (if installed)
shellcheck noid-privacy-linux.sh
# API-layer lint
bash scripts/lint-api-usage.sh noid-privacy-linux.sh
# BATS unit tests
bats tests/unit/No security vulnerabilities reported to date.
- NoID Privacy β Windows 11 Security & Privacy Hardening Framework (sister project)
- License: GNU General Public License v3.0
- Disclaimer: Use at your own risk. No warranties provided.
- Audit-Only: This tool does not modify your system.
For licensing questions, see LICENSE or open a Discussion.
Last Updated: May 18, 2026 Policy Version: 1.6.5