Security

Security information for Ctrl-Q.

Ctrl-Q is open source and you have access to all source code.

It is your responsibility to determine if Ctrl-Q is suitable for your use case.

The creators of Ctrl-Q, including Ptarmigan Labs, Göran Sander or any other contributor, can and must never be held liable to past or future security issues of Ctrl-Q. If you have security concerns or ideas around Ctrl-Q, please get involved in the project and contribute to making it better!

If you discover a serious bug with Ctrl-Q that may pose a security problem, please disclose it
confidentially to security@ptarmiganlabs.com first, so it can be assessed and hopefully fixed
prior to being exploited.

Please do not raise GitHub issues for serious security-related doubts or problems.

Virus scanning

Every time a Ctrl-Q release is done the created binaries are sent to VirusTotal for scanning.
VirusTotal acts as an aggregated virus scanner that sends the Ctrl-Q binaries to dozens of anti-virus scanners, including many of the major/most widely used ones.

Links to the VirusTotal scan report are included in each release notes, making it easy to check the status of each binary:

VirusTotal scans as part of Ctrl-Q release notes

A VirusTotal scan that reports “no risks found” can look like this:

VirusTotal scans with no risks found

Positive scan vs false positives

If one or more of the security vendors used by VirusTotal reports an issue you have to make a decision.
Is it a real issue or a false positive?

You have to decide this yourself, but some general lines of thought can be:

Is it a single vendor that reports the Ctrl-Q binary file to be a risk, or several vendors?
If one vendor reports an issue and 60+ vendors don't, you might be looking at a false positive.

But again - at the end of the day it’s you that must make that decision.

A scan where a single security vendor reports an issue can look like this:

VirusTotal scans with one issue found

Signed binaries

The macOS executable binary is signed and notarized by Apple’s standard process.
A warning may still be shown first time the app is started. This is expected and normal.

The Windows executable binary is signed by “Open Source Developer, Göran Sander”.


Last modified November 15, 2024: 4.0.0 (4622e4e)