At sysAdmin, security is foundational to our mission. We prioritize the protection of our users' data and servers by following industry best practices for secure coding, credential management, and data protection. Since our application handles sensitive server credentials and operations, we take security extremely seriously.
Only the most recent version of sysAdmin receives security updates. We strongly recommend all users to update to the latest release as soon as available.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We appreciate the work of security researchers and the responsible disclosure of security vulnerabilities. If you discover a security issue in sysAdmin, please follow these guidelines:
- Do NOT create a public GitHub issue for security vulnerabilities
- Email your findings to [email protected]
- Include detailed information about the vulnerability:
- Description of the issue
- Steps to reproduce
- Potential impact
- Any suggested mitigations (if available)
- If possible, provide proof of concept code or screenshots that demonstrate the vulnerability
- Initial Response: We aim to acknowledge receipt of your report within 48 hours
- Updates: You will receive updates on the progress of your report within 7 days
- Resolution: We will work diligently to verify and fix the issue as quickly as possible
- Disclosure: We practice coordinated disclosure and will work with you to determine an appropriate timeline for public disclosure after the issue is fixed
We believe in acknowledging security researchers who help improve our security:
- Researchers who report valid security vulnerabilities will be credited (with their permission) in our release notes and security advisories
- We may establish a security hall of fame on our GitHub repository for significant contributions
sysAdmin implements several security measures to protect user data:
- All SSH credentials and keys are stored in the device's secure storage using the
flutter_secure_storagepackage - Credentials are never transmitted to external servers or services
- Private keys are handled securely in memory and cleared after use
- All communications with Linux servers are encrypted using SSH protocols
- We use industry-standard SSH/SFTP libraries (dartssh2) with secure cipher suites
- The application does not implement custom cryptographic solutions
- Local device authentication (biometric/PIN) is required before accessing stored credentials
- The app implements session timeouts to protect against unauthorized access
- The application requests only the minimum required device permissions necessary for operation
- File access is limited to designated directories for uploading/downloading files
We recommend the following security practices for users:
- Use SSH Keys instead of passwords when possible
- Enable Device Lock on your mobile device
- Regularly Update the sysAdmin application to the latest version
- Avoid Public Networks when managing sensitive servers
- Use Restricted Users with limited privileges for routine server management
- Enable Timeout settings in the app to automatically log out after inactivity
- Verify Server Fingerprints when establishing new connections
- Don't Root/Jailbreak devices used for server management
Our development process includes:
- Design Reviews for security implications of new features
- Static Analysis of code to identify potential vulnerabilities
- Dependency Scanning to identify and update vulnerable dependencies
- Manual Code Reviews with specific focus on security aspects
- Testing for common security vulnerabilities
While sysAdmin is not currently certified against security standards, we strive to follow best practices from:
- OWASP Mobile Security Project guidelines
- Google's Mobile Application Security Verification Standard (MASVS)
- Flutter security best practices
This security policy will be updated periodically as our security practices evolve. Last updated: April 18, 2025.