Information about NullifyPDF's security model, privacy guarantees, and how to report security vulnerabilities.
Important
NullifyPDF is designed for maximum privacy. This document explains how we achieve it and what to do if you discover a vulnerability.
NullifyPDF follows a privacy-first architecture:
| Principle | Implementation |
|---|---|
| 100% Local | All PDF processing happens on your machine |
| No Cloud | No file uploads, no network transmission |
| No Telemetry | Zero user tracking or analytics |
| Open Source | Full code transparency, auditable by anyone |
| Cryptographic Scrubbing | Binary-level data destruction (not just covering) |
β No Internet Connections (except GitHub release checks)
β No Data Collection (no logs sent anywhere)
β No Third-party APIs (everything local)
β No User Accounts (no registration required)
β No Tracking (no cookies, no analytics)
When you export a PDF with redactions:
- β Metadata Stripped β Creation date, author, embedded text removed
- β Links Destroyed β Hyperlinks and form fields eliminated
- β Binary Scrubbing β Text beneath redactions overwritten at binary level
- β Forensically Sound β Redacted data is unrecoverable
During export, NullifyPDF uses disk-backed temporary files:
- Temporary data written to system temp directory
- Automatically cleaned up after export completes
- On Windows:
%APPDATA%\Local\Temp\ - On macOS/Linux:
/tmp/
- Original PDF kept in memory only while open
- AI results (detected entities) stored only in-memory during session
- Exported PDF overwrites original data locations
- Graceful cleanup on app close
- β
PDF files only (blocked:
.exe,.zip, etc.) - β File size limits to prevent DOS attacks
- β Encryption detection (blocks password-protected PDFs)
- β
Path traversal protection (prevents
../../../etc/passwdexploits)
- β Page number bounds checking
- β Language selection validation (EN/IT/BOTH only)
- β File path sanitization
- β Type hints on all functions
Do NOT open a public GitHub issue. Instead, follow these steps:
-
Assess the Risk
- Is it a privacy leak? (severity: HIGH)
- Is it a data corruption risk? (severity: HIGH)
- Is it a UI bug? (severity: LOW)
-
Report Through Proper Channel
- Open a private security advisory on GitHub, OR
- Contact through GitHub security form (coming soon)
-
What to Include
- Detailed vulnerability description
- Steps to reproduce
- Affected version(s)
- Suggested fix (if you have one)
- Your name (if you want credit)
-
Timeline
- You'll receive acknowledgment within 48 hours
- Fix will be attempted within 2 weeks (critical) or 1 month (standard)
- You'll be credited in release notes
We follow responsible disclosure principles:
- Embargo Period: 30 days for critical vulnerabilities
- Public Disclosure: After patch is released
- Credit: Security researchers credited by name (unless anonymous requested)
Only the latest released version receives security updates. Always use the newest version for security patches and critical fixes.
- Shoulder Surfing β If someone watches your screen while redacting
- Malware on Your Computer β If your machine is compromised
- Unencrypted Storage β Save your PDF to an encrypted drive if sensitive
- Physical Access β If someone accesses your hard drive directly
- Forensic Recovery β If sophisticated attackers do disk forensics
- π Use encrypted storage (BitLocker, FileVault, LUKS)
- π‘οΈ Keep antivirus software updated
- π Use strong passwords on your machine
- π« Don't share exported PDFs on unsecured channels
- π Use trusted networks when processing sensitive documents
The codebase is open source and welcomes security audits:
- Review code on GitHub
- Check
NullifyPDF.pyfor data handling - Review
ARCHITECTURE.mdfor system design - Examine test coverage in
tests/
We use Python static analysis tools:
# Type checking
mypy NullifyPDF.py
# Linting
pylint NullifyPDF.py
# Security scanning
bandit NullifyPDF.pySecurity-relevant tests cover:
- Input validation (path traversal, injection)
- Resource cleanup (file handles, memory)
- Permission handling (file mode, ownership)
Run tests:
pytest tests/ -vYour redaction preferences (blocklist/allowlist) are stored locally:
| OS | Location |
|---|---|
| Windows | C:\Users\<username>\.nullifypdf\ |
| macOS | ~/.nullifypdf/ |
| Linux | ~/.nullifypdf/ |
- β Only accessible by your user account
- β Not synced to cloud
- β Not shared with anyone
- β Deleted when you remove files
On Linux/macOS, directory permissions default to:
drwx------ user group .nullifypdf/
Only your user can read/write. On Windows, standard user ACLs apply.
NullifyPDF uses trusted, actively-maintained libraries:
| Library | Purpose | Status |
|---|---|---|
| pyside6 | GUI framework | β Actively maintained |
| pymupdf | PDF manipulation | β Actively maintained |
| presidio-analyzer | PII detection | β Maintained by Microsoft |
| spacy | NLP engine | β Actively maintained |
We monitor dependencies for CVEs:
- GitHub Dependabot alerts enabled
- Security updates applied promptly
- Community reports welcomed
NullifyPDF is provided as-is without warranty. While we take security seriously:
- No Guarantee of Unrecoverability β For highly sensitive data, consult legal/security experts
- No Liability β Use at your own risk
- Not a Legal Tool β Consult lawyers for document redaction in legal cases
- Forensic Limitations β Determined attackers with forensic tools may recover data
For mission-critical or legal redactions, consider:
- Professional redaction services
- Dedicated security appliances
- Expert legal guidance
We acknowledge and credit security researchers who responsibly disclose vulnerabilities:
- [List of past security fixes and contributors]
- (Updates as vulnerabilities are resolved)
For security vulnerabilities only:
- GitHub Security Advisory (coming soon)
- OR check GitHub repository for security contact
- π See README.md
- π¬ Open GitHub Discussion
- π Report bugs on GitHub Issues
Last updated: 2026-06-06
β Contributing | Back to README β