If you discover a vulnerability in the Motrix Windows Agent, please report it privately. Do NOT open a public issue.

• Email: security@fordrax.com
• Response time: within 72 hours
• Coordinated disclosure window: 90 days from confirmation

The agent runs on customer-owned Windows endpoints with the privileges granted by the user who installs it. It performs read-only telemetry:

• IIS site/binding/app-pool enumeration
• Local config audit
• Windows hardening posture (15 checks: UAC, SMB, RDP, firewall, BitLocker, etc.)
• Local-only port scan
• Software inventory (registry uninstall keys)
• Heartbeat to a configurable gateway URL

Risks explicitly mitigated:

• No remote code execution: command queue is allowlist-only.
• No credential collection: agent does not read browser stores, keytabs, etc.
• No lateral movement: no SMB/WMI enumeration of remote hosts.
• TLS 1.2 enforced for all gateway calls.

Risks out of scope:

• Compromise of the gateway URL (consumer is responsible for trust).
• Misuse on systems the operator does not own (operator responsibility).

All binary releases on this repo's GitHub Releases page are SHA-256 attested. Always verify the hash before installing in production. Hashes are listed in each release's notes.