This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.


Security information for Ctrl-Q.

Ctrl-Q is open source and you have access to all source code.

It is your responsibility to determine if Ctrl-Q is suitable for your use case.
The creators of Ctrl-Q, including Ptarmigan Labs, Göran Sander or any other contributor, can and must never be held liable to past or future security issues of Ctrl-Q. If you have security concerns or ideas around Ctrl-Q, please get involved in the project and contribute to making it better!

If you discover a serious bug with Ctrl-Q that may pose a security problem, please disclose it
confidentially to first, so it can be assessed and hopefully fixed
prior to being exploited.

Please do not raise GitHub issues for serious security-related doubts or problems.

Virus scanning

Every time a Ctrl-Q release is done the created binaries are sent to VirusTotal for scanning.
VirusTotal acts as an aggregated virus scanner that sends the Ctrl-Q binaries to dozens of anti-virus scanners, including many of the major/most widely used ones.

Links to the VirusTotal scan report are included in each release notes, making it easy to check the status of each binary:

VirusTotal scans as part of Ctrl-Q release notes

A VirusTotal scan that reports “no risks found” can look like this:

VirusTotal scans with no risks found

Positive scan vs false positives

If one or more of the security vendors used by VirusTotal reports an issue you have to make a decision.
Is it a real issue or a false positive?

You have to decide this yourself, but some general lines of thought can be:

Is it a single vendor that reports the Ctrl-Q binary file to be a risk, or several vendors?
If one vendor reports an issue and 60+ vendors don't, you might be looking at a false positive.

But again - at the end of the day it’s you that must make that decision.

A scan where a single security vendor reports an issue can look like this:

VirusTotal scans with one issue found

Signed binaries

The macOS executable binary is signed and notarized by Apple’s standard process.
A warning may still be shown first time the app is started. This is expected and normal.

The Windows executable binary is signed by “Ptarmigan Labs AB”.