Comparison with similar products
We have been developing SFTPGo since 2019 as an Open Source project. Our constant commitment over all these years has transformed what was initially a hobbyist project into a fully featured and commercial-grade file transfer solution.
Over the years we have not only developed and maintained SFTPGo, but we have also helped improve some of its key dependencies. Most notably the SFTPGo author and main contributor, Nicola Murino, is now the maintainer for the upstream golang.org/x/crypto/ssh package, and co-maintain the SFTP and FTP libraries used in SFTPGo.
This means that every Open Source or commercial SFTP solution written using the Go programming language (and there are many) leverages our work.
But there is a key difference: we maintain these libraries, they are just users. Who can provide you with the best support?
Most other similar file transfer solutions written in programming languages other than Go use commercial or Open Source libraries for the low-level protocols.
Only a few file transfer solutions can claim to be able to control and support everything from low-level protocols to web user interface, and we are proudly among them.
Some file transfer solutions are simply an interface around another software like OpenSSH or even SFTPGo! Yes, exactly, they simply take another, Open Source, software often taking advantage of the generosity of its license or even violating the Open Source license itself.
Now that we are structured as a company, we can start to better protect our Open Source software and our work by legally enforcing AGPLv3 requirements for derivative and combined works, but that is not the point here. The important point, for you as a customer, is to understand what happens if you buy a software solution where the vendor does not have control over all the components.
What happens if you report a problem caused by a component outside of your vendor's control? Well, you have to wait for your vendor to understand the problem and report it to his upstream. What if the upstream component used by your vendor is an Open Source project or library that they have no affiliation with? You have to wait that the Open Source maintainers fixes your issue, likely for free: this may never happen. This is why it is customary for software integrators demanding a "Software Bill of Materials" (SBoM), so why don’t you ask for a SBoM for the file transfer software you are relying on?
Furthermore, if a component outside of your vendor's control "just works," your vendor is actually reluctant to upgrade it: we see it all too often. This means that over time you may find yourself with an outdated solution, with known security issues, without you even being aware.
For example, we observed that several SFTP SaaS offerings are still vulnerable to the Terrapin attack, a weaknesses in the SSH transport layer protocol and so affecting all the SSH/SFTP implementations, that was fixed in December 2023. As maintainers of golang.org/x/crypto/ssh we contributed to the fix to the upstream Go library and released a new SFTPGo version just minutes after the security issue was publicly disclosed.
To help you understand if your current SFTP solution is reasonably secure, we offer a free basic security audit. The audit is non-destructive and does not require any credentials, only IP address and port. This is just a basic scan that many bots run regularly to find vulnerable servers. This service is completely free and you are under no obligation to use our offerings. If you are interested contact us.
As mentioned before, some products or services use SFTPGo under the hood and these services may just bring you an old version of SFTPGo, perhaps with known security issues. Suppose you report an issue to them, but they have no expertise to fix the issue. They may ask for our help by filling an issue as anonymous users in our source code repository on GitHub, free riding on our generosity. This is one of the reasons why we no longer provide free support on GitHub.
Below we list some products/file transfer solutions that use SFTPGo under the hood, we are sure
they are not alone, if you know others contact us.
We are in no way disparaging them or suggesting that you should leave them
if you are satisfied with their service. Nor are we suggesting that they necessarily indulge in
any of the questionable behaviour listed above. We just want to set the record straight about
who's using our product and offers it to you. If anyone feels that this information is inaccurate,
please contact us.
Please note that the below services and products are not endorsed by, nor affiliated with, us.
Here is the list: