Security in our products
Bitvise SSH Server and Client have an excellent security track record. Since our software was first released in 2001, we have found occasional issues. All of these were fixed promptly as they came to our attention. The security of our software is our first priority, followed by reliability, followed by performance and features.
Vulnerabilities specific to other SSH implementations tend to not apply to ours. Our software is developed independently and does not share code with OpenSSH and other implementations. Our SSH protocol implementation is one of the more stringent ones, on several occasions exposing flaws in other implementations.
When a security vulnerability is discovered in one of our products, it will be fixed promptly and a new version fixing the flaw will be made available for download or automatic update. When this happens, customers who have purchased licenses will be notified at the technical contact email address associated with their licenses. To change this email address, log into your License Overview. To be sure, you can also subscribe to our mailing list for security notifications.
How secure is SSH?
When implemented and used properly, SSH v2 offers state-of-the-art cryptographic protection comparable with TLS/SSL on the application level or IPsec on the network level.
Our products provide full SSH2 cryptographic security. Your main care is to properly configure access permissions; use high quality passwords; and to verify an SSH server's public key when first connecting to the server. Verifying the host key is crucial to protect from active man-in-the-middle attacks.
For more information, see also our introduction to SSH.
Bitvise's software development lifecycle
Bitvise is a small company that has always had a single-digit number of developers. Our development can therefore involve less formality than larger teams, and yet can deliver a greater quality. The following are the main ways we ensure that the security of our software is high and continues to improve:
We keep a small team of experienced developers, minimizing turnover so that we preserve the lessons we encountered.
We address any new issues comprehensively and in-depth, so that not only a mistake is fixed, but to also improve the processes that allowed it.
We hire rarely, and the work of any new hires is carefully vetted. We use C++, which is a complex language that requires great skill and discipline to use safely. We ensure that any code we use is of a high quality, and that anyone we hire has such skill.
The latest Bitvise software versions are created by developers more experienced than 10 or 20 years ago, using processes more stringent than when we started. Our existence is possible because our software was recognized as dependable in its early versions. Over time, the issues we find have become less frequent and less severe.
We believe our latest versions are the most secure versions we have released, and we continue to work to meet and exceed this.
Security questionnaires and attestations
Bitvise has prepared a Secure Software Development attestation following NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1. You can contact us to request a copy.
Bitvise does not complete third-party security questionnaires. These are labor intensive and require senior attention. We do not have the resources to complete the number of these that are requested. What we can do is to provide our own prepared attestation, following SSDF v1.1.