Skip to main content

Security Disclosure

This responsible disclosure page explains how to report security issues and what is in scope for PastePrompt.

Plain-language policy

This page summarizes the current PastePrompt policy in plain language. It is not legal advice; if formal contract terms apply to your purchase or organization, those written terms control.

Responsible disclosure

If you believe you found a security issue in PastePrompt, the website, or a license-related system if present, contact roberreigada@gmail.com. Include enough detail to understand the issue, reproduce it safely, and contact you with follow-up questions.

What to report

Useful reports may include:

  • local file access outside an intended repository boundary;
  • secret scanner bypasses that affect copy or export gating;
  • unsafe path handling, symlink traversal, or command invocation behavior;
  • website vulnerabilities that affect users or downloads;
  • license validation or activation issues if a license system is present;
  • download, checksum, update, signing, or release-integrity issues.

What not to include

Please do not send:

  • live private keys, tokens, API keys, passwords, or customer secrets;
  • private client source code or generated context bundles;
  • large exploit payloads or destructive proof-of-concept files;
  • reports requiring access to systems you do not own or have permission to test.

Use sanitized examples and minimal reproduction steps whenever possible.

Scope

  • PastePrompt macOS app security.
  • PastePrompt documentation and marketing website security.
  • PastePrompt download, release, and update metadata if configured.
  • PastePrompt license system behavior if present.

Out of scope

  • LLM provider behavior after a user pastes or uploads a bundle.
  • Issues caused only by compromised local machines or unrelated third-party tools.
  • Reports based only on missing compliance certifications.
  • Social engineering, spam, denial-of-service traffic, or destructive testing.

No bug bounty

PastePrompt does not offer a public bug bounty unless a separate program is explicitly announced. Submitting a report does not create an entitlement to payment, reward, public credit, or response timeline.

Product security model

For how the app is intended to handle local repositories, clipboard/export risk, secret scanning, and update checks, read the local-first model and security limitations.