Security disclosure policy

Last updated: April 19, 2026.

We appreciate responsible reports of security issues. This policy explains what is in scope, how to report, and what kind of testing we consider safe-harbor.

Contact

Email security@sharecopypaste.com. We aim to acknowledge within 3 business days. PGP key available on request.

Scope

• sharecopypaste.com and its API endpoints.
• The Sharecopypaste browser extension.

Out of scope

• Volumetric DoS, social engineering, physical attacks.
• Findings against third-party services we use (report those directly to the vendor).
• Self-XSS, missing best-practice headers without a working PoC.

Safe harbor

If you make a good-faith effort to comply with this policy, do not access or modify other users’ data beyond what is needed to prove the issue, and give us a reasonable chance to fix the issue before public disclosure, we will not pursue legal action against you for that research.

security.txt

See /.well-known/security.txt per RFC 9116.