Security in our products

Bitvise SSH Server and Client have an excellent security track record. Since our software was first released in 2001, we have found occasional issues. All of these were fixed promptly as they came to our attention. The security of our software is our first priority, followed by reliability, followed by performance and features.

Vulnerabilities specific to other SSH implementations tend to not apply to ours. Our software is developed independently and does not share code with OpenSSH and other implementations. Our SSH protocol implementation is one of the more stringent ones, on several occasions exposing flaws in other implementations.

When a security vulnerability is discovered in one of our products, it will be fixed promptly and a new version fixing the flaw will be made available for download or automatic update. When this happens, customers who have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. To be sure, you can also subscribe to our mailing list for security notifications.

How secure is SSH?

When implemented and used properly, SSH v2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.

Our products provide full SSH2 cryptographic security. Your main care is to properly configure access permissions; use high quality passwords; and to verify an SSH server's public key when first connecting to the server. Verifying the host key is crucial to protect from active man-in-the-middle attacks.

For more information, see also our introduction to SSH.

Automatic update security

Bitvise software supports built-in updates. Checks for updates are enabled by default, and can be disabled. The built-in update process includes security checks:

• The version information received during an update check is digitally signed. This signature uses a private key separate from TLS.

• New version information includes a SHA-512 hash of the new version installer. This hash is covered by the digital signature.

• The update process verifies that the cryptographic hash of a downloaded installer matches the expected value.

• Configurable update settings include an Update stability delay. When a new version becomes available, the software will not automatically update until it has observed the new version for the configured number of days. This setting is enabled by default, and can help users avoid updates to new versions in case issues are found soon after release.

Bitvise's software development lifecycle

Bitvise is a small company that has always had a single-digit number of developers. Our development can involve less formality than larger teams, and yet can deliver an equal or greater quality. The following are the main ways we ensure that the security of our software is high and continues to improve:

• We use the latest available AI tools, both to review existing code, and to review new code changes.

• We keep a small team of experienced developers, minimizing turnover to preserve the lessons we encountered.

• We address any new issues comprehensively and in-depth. We do not only fix a mistake, but improve the processes that allowed it.

• We hire rarely, and the work of a new hire is carefully vetted. We use C++, which is a complex language that requires skill and discipline to use safely.

The latest Bitvise software versions are created by developers more experienced than 10 or 20 years ago, using processes greatly improved over time. We believe our latest versions are the most secure versions we have released, and we continue to work to exceed this.

Use of AI in development

The quality of commercially available AI tools has improved to where they are now indispensable for software correctness. We are applying the latest available AI tools proactively, to find and fix flaws which previously missed detection. We find AI invaluable for reviews of existing code, as well as reviews of new code changes.

Every line of code is still considered and entered by a developer. AI can make significant mistakes, and is not yet sufficiently mature to permit direct, unscrutinized AI code changes. We find that AI catches errors made by the human, and the human catches subtle and unsubtle errors made by AI. This makes both indispensable.

Security questionnaires and attestations

Bitvise has prepared a Secure Software Development attestation following NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1. You can contact us to request a copy.

Bitvise does not complete third-party security questionnaires. These are labor intensive and require senior attention. We do not have the resources to complete the number of these that are requested. What we can do is to provide our own prepared attestation, following SSDF v1.1.

About SSH

What is SSH?

Screenshots

Security

Resources

Getting Started

SSH Server Users' Guide

SSH Server Usage FAQ

Configuring SFTP and SCP

Securing the SSH server

Public keys in SSH

Port forwarding guide

Web browsing over SSH

X11 forwarding

Tunnel Remote Desktop

Tunnel WinVNC

How the internet works