Sublime Forum

Network or security audits of Sublime Text?

#1

Have there been any audits, including simple examinations regarding the behavior of sublime text with regards to malicious behavior?

Namely, are there any claims or recorded instances of sublime text:

  1. Downloading data to sublime text servers
  2. Analayzing hard drive contents outside the scope of expected behavior

I am not suggesting that sublime text performs any such behavior, but as it is closed source, and it is provided access to machines with potentially valueable intellectual property it would be nice to understand the communities current understanding of behavior, privacy policies, certifications and/or audits.

0 Likes

#2

Since this software is closed source I was curious about this as well. Has any third party done a security audit?

0 Likes

#3

Yes, there has been such examinations. Sublime Text only access servers to obtain updates.

Please note that 3rd party plugins is a different matter - you simply have to review them yourself (although I’m not aware of any problem there either)

0 Likes

#4

You can also set enable_telemetry to false if you don’t want to send stats to Sublime HQ.

0 Likes

#5

Where do you tell it not to collect telemetry? Also is the audit published? If so where can we find it?

0 Likes

#6

In the preferences.

// When enabled, anonymised usage data is sent back, assisting Sublime HQ // in making informed decisions about improving Sublime Text. File names // and file contents are never included, but data such as computer // specifications, startup time, installed packages, and edited file types // are. When disabled, telemetry is neither recorded or sent. // A setting of auto will enable telemetry in dev builds, and disable // telemetry in regular builds. "enable_telemetry": "auto",

0 Likes