Skip to content

Security: sparesparrow/cliphist-android

Security

SECURITY.md

πŸ”’ Security Policy

πŸ“‹ Supported Versions

We actively support the following versions with security updates:

Version Supported Security Updates
1.0.x βœ… βœ…
< 1.0 ❌ ❌

🚨 Reporting a Vulnerability

If you discover a security vulnerability in Clipboard History, please help us by reporting it responsibly.

How to Report

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

What to Include

When reporting a security vulnerability, please include:

  1. Description: A clear description of the vulnerability
  2. Impact: What an attacker could achieve by exploiting this vulnerability
  3. Steps to Reproduce: Detailed steps to reproduce the issue
  4. Environment: App version, Android version, device information
  5. Proof of Concept: If possible, include a proof of concept

Response Timeline

  • Initial Response: Within 24 hours
  • Vulnerability Assessment: Within 72 hours
  • Fix Development: Within 1-2 weeks for critical issues
  • Public Disclosure: After fix is deployed and tested

πŸ›‘οΈ Security Features

Data Encryption

  • All clipboard data is encrypted using SQLCipher
  • AES-256-GCM encryption for sensitive data
  • Secure key generation and storage

Access Control

  • Biometric authentication support
  • Secure clipboard access permissions
  • Background service restrictions

Network Security

  • Certificate pinning for secure communications
  • HTTPS-only network requests
  • No unnecessary network permissions

Code Security

  • Regular security audits and dependency scanning
  • ProGuard/R8 obfuscation for release builds
  • No hardcoded secrets or API keys

πŸ” Security Scanning

We use automated security scanning tools:

  • CodeQL: Static analysis for security vulnerabilities
  • OWASP Dependency Check: Third-party library vulnerability scanning
  • Android Lint: Android-specific security checks
  • Manual Security Audits: Quarterly comprehensive reviews

πŸ“ž Contact

For security-related questions or concerns:

πŸ™ Recognition

We appreciate security researchers who help keep our users safe. With your permission, we will acknowledge your contribution in our security advisories.

πŸ“ Security Updates

Security updates will be:

  1. Released as patch versions (e.g., 1.0.1, 1.0.2)
  2. Documented in release notes with CVE identifiers
  3. Communicated through GitHub Security Advisories
  4. Distributed through automated updates

Last Updated: December 5, 2024

There aren’t any published security advisories