CopyPaste handles your clipboard historyβthat can include sensitive stuff. I take security seriously because you're trusting this tool with content that might be personal or confidential.
This isn't corporate security theater. This is a personal project shared with the community. It's built on trustβtransparency in the code, responsibility when issues come up, and treating security researchers as partners.
I'm not protecting a brand or business. I'm protecting you and everyone using this tool.
- 100% Local Storage β Your clipboard history never leaves your machine. No cloud sync, no telemetry, no remote servers.
- Sensitive Data Exclusion β Password manager content (1Password, Bitwarden, etc.) is automatically excluded from history.
- No Tracking β I don't collect anything. No analytics, no usage data, nothing.
- Local SQLite Database β Your clipboard history is stored in a local database on your machine, not in the cloud.
- Configurable Retention β Automatically delete old clipboard items based on your retention settings.
- Open Source β Every line of code is public. You can inspect, audit, and verify what we're doing.
- Modern .NET Stack β Built on .NET 10 Preview with the latest security features and updates.
- Dependency Updates β We regularly update dependencies to patch known vulnerabilities.
- Code Reviews β All contributions go through review before merging.
Security updates are provided for:
| Version | Supported |
|---|---|
| Latest Release | β Actively Supported |
| Beta Versions | β Actively Supported |
| Older Releases | β Not Supported (please update) |
We strongly recommend always using the latest version from the Releases Page.
If you discover a security vulnerability in CopyPaste, please help us protect our users by reporting it responsibly.
Please report:
- β Unauthorized access to clipboard history
- β Privilege escalation issues
- β Data leakage or unintended storage of sensitive information
- β Injection attacks (SQL, command, etc.)
- β Bypass of sensitive data exclusion mechanisms
- β Critical bugs that could lead to data loss or corruption
Not security issues:
- β Feature requests or enhancements
- β General bugs that don't have security implications
- β Issues with third-party dependencies (report those upstream)
- β Windows SmartScreen warnings (see README for explanation)
DO NOT open a public GitHub issue for security vulnerabilities. Instead, use one of these private channels:
Send an email to: github@apirest.cl
Subject: [SECURITY] Brief description of the issue
This is the fastest way to reach us. We check email daily and will respond within 48 hours.
- Go to the Security tab in the repository
- Click "Report a vulnerability"
- Fill in the details using the template provided
- Submit privately β only maintainers will see it
Choose whichever method is most comfortable for you. What matters is that we hear from you.
Include in your report:
- Description β Clear explanation of the vulnerability
- Impact β What could an attacker do? Who is affected?
- Steps to Reproduce β How can we reproduce the issue?
- CopyPaste Version β Which version is affected?
- Windows Version β OS version and build number
- Proof of Concept (optional) β Code or screenshots demonstrating the issue
- Suggested Fix (optional) β If you have ideas on how to fix it
-
Acknowledgment (Within 48 Hours)
- I'll confirm I received your report
- I'll let you know if I need more information
-
Investigation (1-7 Days)
- I'll reproduce and analyze the issue
- Assess severity and impact
- Develop a fix
-
Resolution
- Create a patch and test it thoroughly
- Coordinate a release timeline with you
- Credit you in the release notes (if you want)
-
Disclosure (After Fix is Released)
- Publish a security advisory
- Notify users to update
- You can publicly disclose (coordinated disclosure)
| Severity | Response Time | Fix Target |
|---|---|---|
| Critical (Remote code execution, data breach) | 24 hours | 1-3 days |
| High (Privilege escalation, significant data leak) | 48 hours | 3-7 days |
| Medium (Limited scope, requires user interaction) | 3 days | 1-2 weeks |
| Low (Minimal impact, edge cases) | 1 week | Next release |
I'm one person (with community help), but I take security seriously. If you don't hear back within the expected timeframe, please follow upβthings might've gotten lost.
I believe in coordinated disclosure to protect users:
- Please give me reasonable time to fix the issue before publicly disclosing it
- I aim to release fixes within 7 days for critical issues
- I'll work with you on a disclosure timeline that protects users
- I'll credit you in the release notes (unless you prefer to remain anonymous)
I WILL:
- β Treat you with respect and gratitudeβyou're helping protect users
- β Respond promptly to your report (within 48 hours)
- β Keep you updated throughout the investigation and fix process
- β Credit your work publicly (if you want)
- β Be transparent about the timeline and progress
I will NEVER:
- β Threaten legal action against good-faith security researchers
- β Ignore or dismiss legitimate reports
- β Retaliate against reporters in any way
- β Use intimidation tactics or silence critics
- β Blame you for finding vulnerabilities in the code
Security research makes everyone safer. I'm grateful for your work and will treat you as a valued partner in protecting the community.
We're grateful to the security researchers who help make CopyPaste safer:
- No security issues reported yet. Help us stay secure!
Want to be listed here? Report a verified security vulnerability and choose to be credited. We'll add your name (or handle) and a link to your profile if you'd like.
- Keep CopyPaste Updated β Enable automatic updates or check for new releases regularly
- Review Clipboard History β Periodically check what's being stored and delete sensitive items
- Configure Retention β Set shorter retention periods if you handle highly sensitive data
- Use Password Managers β Their clipboard content is automatically excluded from history
- Read the Code β The entire codebase is open source: CopyPaste Repository
- Review Dependencies β Check
*.csprojfiles for third-party libraries we use - Security Best Practices β Follow secure coding guidelines when contributing
CopyPaste does not currently use cryptographic functions for data storage.
- Clipboard history is stored in plaintext in a local SQLite database
- Database files are protected by Windows file system permissions
- No encryption is applied to stored clipboard data
Why?
- The database is local-only and protected by your Windows user account
- Encryption would add complexity and potential key management issues
- Performance and startup time would be impacted
- You control physical access to your machine
Future Consideration: If there's community demand for at-rest encryption, we're open to discussing it. Open an issue if this is important to you.
We're here to help and answer questions:
- Security Questions: Email us at github@apirest.cl β we're happy to discuss concerns privately
- General Questions: Open a Discussion β ask publicly, we'll answer openly
- Vulnerability Reports: Use the private channels above β never post security issues publicly
- Policy Feedback: Open an Issue β help us improve this policy
Security is everyone's responsibility. Thank you for helping keep CopyPaste safe for everyone using it.
Remember: If you're unsure whether something is a security issue, reach out anyway. I'd rather have a conversation than miss a real problem.
Built securely, transparently, and with β€οΈ by the community.