Hello fellow BOINCers,
am a long time user (SPARC VI, Android) with a new account (SPARC I died, SPARC II and III unknown status, .. you can continue if you are a Babylon fan).

On bluesky we raised a question about privacy (which can be found here: https://boinc.berkeley.edu/wiki/Usage_rules); since we're in the cybersec and cyber privacy field, we'd like to know if there are further specs on how data are managed, how security is set (to prevent injs, MITM, and so on). Lovely noticed that it doesn't record keystrokes but, could it be vulnerable to other side channels attacks?

Anyone can look at the source code and review it on GitHub:
https://github.com/BOINC/boinc

The GitHub repository is only applicable to projects and distros using the stock BOINC server and client applications.
BOINC is open source, and as such can be modified by "!anyone". Each project can modify the server application to suit their needs and environment; likewise each "third party" distro can modify its application to suit its needs.
So, you need to check with all projects to find out what they've done to the security parts of the server application, and each distro to find out what modifications they have made.
Two projects I know have made modifications to the server code are "World Community Grid" and "Einstein"; there are probably a few more. Good luck in getting responses from many of the smaller or "more remote" projects.

Under Linux, BOINC and the projects running using it don't have access to data outside /var/lib/boinc (or boinc-client in some older installations. I don't know anything about how Windows manages its security but my only windows client is in a VM that is only used for running BOINC.

I would suggest that the security of the underlying OS is a far more important consideration though I would hesitate to use any software on a work computer for non-work purposes, especially if the machine contained sensitive information.

In reply to claudia's message of 31 Mar 2025:

we'd like to know if there are further specs on how data are managed, how security is set (to prevent injs, MITM, and so on). Lovely noticed that it doesn't record keystrokes but, could it be vulnerable to other side channels attacks?

There isn't any such security. Anyone can take the BOINC client and server source code, change it to his heart's desire, and run anything they'd like as an application in the BOINC Manager. And if he then makes a live project out of it, it's up to the users to use their gut to figure out if the project is legit or not and if they want to run it on their systems.

We're using GPL on our software, meaning anyone can use it and adapt it to their own use base for free and without us telling him he can't do that.

As https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html shows, BOINC is being used to run on botnets. Although this seemed to be a test.

Thanks!
I was aware of that.

My question was more on the data handling side, but def all the messages in response are good to understand the "nature".

Thanks for all the replies, much appreciated your time.