Security Details

Updating apps involves privileged operations and must be done carefully. Because of this Ninite ensures all app configuration data is transmitted securely and all downloads are validated before use.

This starts with every Ninite .exe being signed by our company. Those exes then talk to over a well-configured TLS connection to get the latest app configuration information.

Each program is downloaded from its publisher's official mirrors and then checked for a matching SHA-256 hash (delivered over TLS) or valid file signature from the publisher before we run anything. If an official mirror is unreliable we may use our own mirror at Files retreived from Ninite Pro's cache are also validated immediately before use.

If validation fails the app update fails. There are no options or prompts to ignore these issues or continue with questionable data.

When we add new versions to our catalog we take care to verify the downloads from the origin site and run a virus scan.

Ninite declines all toolbar offers and bundled junkware. You may get irrelevant warnings or experience download failures if you have security software configured to warn about the mere presence of junk offers in installers. It is safe to ignore these because Ninite opts out of the junk.

We take similar care with our backend systems used to update the catalog. Updates are configured in clean snapshotted virtual machines and all communication with our servers is encrypted.

Ninite Pro Agent Security

These same precautions also apply to the Ninite Pro Agent.

Protecting our systems that handle agent connections and app configuration updates is a big priority and we do that by strictly limiting access, running minimal services, and keeping our own servers patched and up-to-date.

A compromise of our servers is a threat we take seriously and we're always looking for ways to improve our defenses.

Please get in touch if you have more questions or need anything else. Thanks!

Security Response

To report a security issue please visit our security response page.