We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 2.2.x | β |
| 2.1.x | β |
| 2.0.x | β |
| < 2.0 | β |
If you discover a security vulnerability in ImageWriter, please report it responsibly:
- Email: tixset@gmail.com
- GitHub: https://github.com/tixset/ImageWriter
- Subject:
[SECURITY] ImageWriter Vulnerability Report
Please include the following information in your report:
- Type of vulnerability (e.g., buffer overflow, path traversal, privilege escalation)
- Affected component (e.g., file handling, device access, archive extraction)
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your name/handle (for credit in the fix announcement)
- Initial Response: Within 48 hours
- Triage: Within 1 week
- Fix for Critical Issues: Within 7-14 days
- Fix for Non-Critical Issues: Within 30 days
- We will acknowledge receipt of your report
- We will investigate and validate the vulnerability
- We will develop and test a fix
- We will release a security update
- We will publicly disclose the vulnerability (after the fix is released)
- We will credit you in the release notes (unless you prefer to remain anonymous)
When using ImageWriter:
- Administrator Privileges: Only run ImageWriter with administrator privileges when necessary
- Verify Images: Always verify checksums (MD5/SHA-256) of downloaded disk images
- Backup Data: Ensure all important data is backed up before writing to any device
- Device Selection: Double-check the target device before starting write operations
- Source Files: Only use disk images from trusted sources
- Updates: Keep ImageWriter updated to the latest version
- Elevated Privileges: ImageWriter requires administrator privileges for disk write operations (by design)
- Direct Disk Access: The application performs low-level disk operations (intended functionality)
- File System Bypass: Writing raw disk images bypasses file system protections (required for operation)
- User Confirmation: Multiple confirmation dialogs before destructive operations
- Device Information: Clear display of target device information
- Volume Locking: Volumes are locked during write operations
- Validation: Input validation for paths, sizes, and parameters
- UAC Integration: Proper UAC elevation handling on Vista and later
Recent security improvements (v2.2.0+):
- Fixed race condition in streaming copy operations
- Added GPT overflow vulnerability protection
- Implemented proper handle leak prevention
- Enhanced input validation for file paths
- Improved error handling to prevent information disclosure
- We follow responsible disclosure practices
- Security vulnerabilities will be disclosed 90 days after a fix is available
- Critical vulnerabilities affecting user data will be prioritized
We appreciate security researchers who help improve ImageWriter:
Last Updated: December 22, 2025
Contact: Anton Zelenov (tixset@gmail.com)
GitHub: https://github.com/tixset/ImageWriter