Security Policy

Security Policy

Last updated 26 June 2026 — version 1.5

PC Workman needs administrative privileges to read hardware sensors and control fan speeds. That level of access deserves rigorous, verifiable security. This page summarises how every release is protected and how you can verify it yourself — you don't have to take my word for any of it. The full policy lives in SECURITY.md.

CodeQL
CodeQL
VirusTotal
VirusTotal 0/70
Sigstore
Sigstore signed
OpenSSF
OpenSSF (in progress)

How every release is protected

Verify it yourself

Before running any release, you can confirm it is authentic and clean:

1. Verify the Sigstore signature

sigstore verify github \
  PC_Workman_HCK_<version>.exe \
  --bundle sigstore.bundle

If verification fails, do not run the file — report it.

2. Check the SHA256 hash against the value in the release notes

Get-FileHash PC_Workman_HCK_<version>.exe -Algorithm SHA256

3. Scan it on VirusTotal (expected: 0 detections) and read the source — every line is on GitHub.

Download only from official sources: GitHub Releases, pcworkman.dev, or SourceForge. Executables received by email, Discord or third-party download sites should be treated as untrusted.

Privacy & data

PC Workman is local-first: all system-monitoring data, learned baselines, the offline hck_GPT assistant and your history stay on your device. The only data that can leave is an optional, anonymous hardware & usage snapshot (component models, OS, region from your locale, app version, session length — never your name, IP, files or process names), used to fix hardware incompatibilities and controllable in Settings.

Full details: Privacy Policy (EN + PL) and PRIVACY.md.

Supported versions

VersionSupportedSecurity updates
1.8.0 (latest stable)YesBest — current release
1.7.xLimitedCritical only — upgrade recommended
1.6.xLimitedCritical only — upgrade recommended
< 1.6NoEnd of life

Reporting a vulnerability

Please report security issues privately, not in public issues:

Response timeline: acknowledgment within 24 hours, validation and severity within 72 hours, a fix for critical issues (CVSS 7.0+) within 7 days. Reporters are credited unless anonymity is requested.

Status at a glance

MeasureStatus
Sigstore signaturesActive (since Jan 20, 2026)
VirusTotal0/70 clean — last scanned v1.8.0 (June 22, 2026)
CodeQLClean on every commit
OpenSSF Best PracticesIn progress (~25%)
← Back to PC Workman