| Version | Supported |
|---|---|
| 2.x | ✅ |
| 1.x | ❌ |
WinClean is designed with security in mind:
- System Restore Point: Created before any changes
- Protected Paths: Critical system folders are never touched
- No Network Data: Script doesn't send any data externally
- No Credentials: Script never stores or transmits credentials
- Dry Run Mode:
-ReportOnlyflag to preview all changes - Signed Commits: All releases are signed
C:\Windows\
C:\Program Files\
C:\Program Files (x86)\
C:\Users\
C:\Users\<Username>\
If you discover a security vulnerability in WinClean, please report it responsibly:
- DO NOT create a public GitHub issue for security vulnerabilities
- Email the maintainer directly (create a private security advisory)
- Or use GitHub's private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
- We will acknowledge receipt of your report
- We will investigate and determine impact
- We will develop and test a fix
- We will release a patched version
- We will publicly acknowledge your contribution (unless you prefer anonymity)
When using WinClean:
- Always download from official sources (GitHub releases)
- Verify the script before running (
-ReportOnlymode) - Run with minimum necessary privileges (though admin is required)
- Keep PowerShell updated to the latest version
- Review the changelog before updating to new versions
The following are in scope for security reports:
- Code execution vulnerabilities
- Privilege escalation
- Data destruction outside intended scope
- Information disclosure
- Bypass of safety mechanisms
The following are out of scope:
- Issues requiring physical access to the machine
- Social engineering
- Issues in dependencies not controlled by this project
- Issues already publicly known
Thank you for helping keep WinClean secure!