Security in our products

Bitvise SSH Server and Client have an excellent security track record. Since our software was first released in 2001, we have found occasional issues. All of these were fixed promptly as they came to our attention. The security of our software is our first priority, followed by reliability, followed by performance and features.

Vulnerabilities specific to other SSH implementations tend to not apply to ours. Our software is developed independently and does not share code with OpenSSH and other implementations. Our SSH protocol implementation is one of the more stringent ones, on several occasions exposing flaws in other implementations.

When a security vulnerability is discovered in one of our products, it will be fixed promptly and a new version fixing the flaw will be made available for download or automatic update. When this happens, customers who have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. To be sure, you can also subscribe to our mailing list for security notifications.

How secure is SSH?

When implemented and used properly, SSH v2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.

Our products provide full SSH2 cryptographic security. Your main care is to properly configure access permissions; use high quality passwords; and to verify an SSH server's public key when first connecting to the server. Verifying the host key is crucial to protect from active man-in-the-middle attacks.

For more information, see also our introduction to SSH.

Bitvise's software development lifecycle

Bitvise is a small company that has always had a single-digit number of developers. Our development can therefore involve less formality than larger teams, and yet can deliver a greater quality. The following are the main ways we ensure that the security of our software is high and continues to improve:

  • We keep a small team of experienced developers, minimizing turnover so that we preserve the lessons we encountered.

  • We address any new issues comprehensively and in-depth, so that not only a mistake is fixed, but to also improve the processes that allowed it.

  • We hire rarely, and the work of any new hires is carefully vetted. We use C++, which is a complex language that requires great skill and discipline to use safely. We ensure that any code we use is of a high quality, and that anyone we hire has such skill.

The latest Bitvise software versions are created by developers more experienced than 10 or 20 years ago, using processes more stringent than when we started. Our existence is possible because our software was recognized as dependable in its early versions. Over time, the issues we find have become less frequent and less severe.

We believe our latest versions are the most secure versions we have released, and we continue to work to meet and exceed this.

Security questionnaires

A questionnaire cannot tell you if our software is secure. It tells you if Bitvise is aware of guidelines and best practices, and if we claim to be compliant.

Bitvise software runs under your control. When you handle data using our software, the data is not sent to Bitvise. You are not using a cloud service. Bitvise does not process the data. You are processing the data, using Bitvise software as a tool.

When you use our software, the security of your settings is under your control, not under Bitvise's control. If there is an incident, information about the incident is on your computers, not on Bitvise's computers. Bitvise does not collect telemetry and has no information about your settings or your use.

Security of our software is our highest development priority. Our next priority is stability and robustness. These considerations have precedence over new features. We perform ongoing in-house testing to ensure our software meets security and robustness requirements.

If you send a questionnaire, these are most commonly Microsoft Office documents. We do not open unsolicited documents for editing. Opening a document in this way is a security failure. We are available to answer questions, including security questions, if you can state questions plainly in your inquiry.