OpenPaste is designed with security as a core principle. This document outlines the security architecture, threat model, and security best practices for the project.
- Defense in Depth: Multiple layers of security
- Least Privilege: Minimal access required
- Secure by Default: Secure configurations out of the box
- Transparency: Open security practices
- Regular Audits: Continuous security review
Local Attacker:
- Has physical access to device
- Can run arbitrary code
- Can access filesystem
Network Attacker:
- Can intercept network traffic
- Can attack network services
- Limited to localhost by default
Malicious Plugin:
- Runs in WASM sandbox
- Has limited permissions
- Cannot escape sandbox (by design)
Clipboard Data:
- User clipboard history
- Sensitive information (passwords, keys, etc.)
- Personal information
Encryption Keys:
- Master password
- Database encryption keys
- Plugin permissions
User Privacy:
- Usage patterns
- Source applications
- Search queries
Process Boundary:
- Daemon runs as user process
- No privilege escalation
- No system-level access
Network Boundary:
- API binds to localhost only
- No external network access by default
- Optional TLS for remote access
Sandbox Boundary:
- Plugins run in WASM sandbox
- No direct filesystem access
- No direct network access (without permission)
At Rest:
- AES-256-GCM for database content
- Argon2id for key derivation
- Optional file system encryption
In Transit:
- Optional TLS for REST API
- Unix domain sockets (local only)
- Named pipes (Windows, local only)
In Memory:
- Zeroization of sensitive data
- Memory locking (optional)
- Secure memory allocation
Authentication:
- API token for REST API
- Master password for encryption
- Optional biometric unlock
Authorization:
- Plugin permissions system
- Role-based access (future)
- Resource-based access (future)
Process Isolation:
- Separate daemon process
- Separate UI process
- IPC communication only
Sandbox Isolation:
- WASM runtime for plugins
- Limited host API access
- Permission-based access
Master Password:
- Minimum 8 characters
- Argon2id key derivation
- Salt stored separately
- Key hash for verification
Database Encryption:
- Per-item encryption
- Random nonces
- Authenticated encryption (AEAD)
- Optional encryption scope
Memory Protection:
- Zeroization on drop
- Secure memory types
- Optional memory locking
Clipboard Input:
- Content type validation
- Size limits
- Sanitization (HTML)
- Malware scanning (future)
API Input:
- JSON schema validation
- SQL injection prevention
- XSS prevention
- CSRF protection
CLI Input:
- Argument validation
- Path traversal prevention
- Command injection prevention
Configuration:
- API binds to localhost only
- Encryption optional but recommended
- No remote access by default
- No telemetry by default
Permissions:
- Plugins require explicit permissions
- Users grant permissions at install
- Permissions can be revoked
Storage:
- Database in user directory
- File system permissions restricted
- No world-readable files
Code Review:
- All code reviewed before merge
- Security-focused review for sensitive code
- Two maintainer approval required
Dependencies:
- Regular dependency updates
- Security scanning (cargo-audit, npm audit)
- Minimal dependency usage
Testing:
- Security-focused tests
- Fuzz testing (future)
- Penetration testing (before v1.0)
Code Signing:
- Windows binaries signed
- macOS binaries signed and notarized
- Linux packages signed
Distribution:
- Secure build pipeline
- Reproducible builds (future)
- Hash verification
Updates:
- Signed updates
- Update verification
- Rollback capability
Monitoring:
- Security event logging
- Anomaly detection (future)
- Alert on suspicious activity
Incident Response:
- Security incident policy
- Response team
- Communication plan
How to Report:
- Email: security@openpaste.org (when available)
- Private GitHub issue (when available)
- PGP key for encryption (when available)
What to Include:
- Vulnerability description
- Steps to reproduce
- Impact assessment
- Proof of concept (optional)
Response Timeline:
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix timeline: Based on severity
Critical:
- Remote code execution
- Data exposure without user interaction
- Bypass of encryption
High:
- Local code execution
- Data exposure with user interaction
- Privilege escalation
Medium:
- Information disclosure
- Denial of service
- Authentication bypass
Low:
- Minor information disclosure
- UI issues
- Configuration errors
Coordinated Disclosure:
- Work with reporter on timeline
- Fix before public disclosure
- Credit reporter in release notes
Public Disclosure:
- After fix is released
- Include CVE (if applicable)
- Include mitigation guidance
Data Minimization:
- Collect only necessary data
- Optional telemetry
- User control over data
User Rights:
- Right to access data
- Right to delete data
- Right to export data
Transparency:
- Privacy policy
- Data usage documentation
- Open source code
GDPR:
- Data protection by design
- User consent
- Data portability
- Right to be forgotten
CCPA:
- Privacy notice
- Opt-out mechanism
- Data deletion
Internal Audit:
- Code review
- Architecture review
- Threat modeling
External Audit:
- Third-party security firm
- Penetration testing
- Vulnerability assessment
Dependency Scanning:
- Automated scanning in CI
- Weekly manual review
- Immediate action on CVEs
Code Scanning:
- Static analysis
- Secret scanning
- Pattern matching
Code:
- All code reviewed
- Security tests pass
- No known vulnerabilities
- Dependencies updated
Configuration:
- Secure defaults
- No hardcoded secrets
- Proper file permissions
- Encryption enabled by default
Documentation:
- Security documentation updated
- Privacy policy updated
- Release notes include security info
Monitoring:
- Security events monitored
- Anomaly detection enabled
- Incident response ready
Updates:
- Dependency updates monitored
- Security patches prioritized
- User communication plan
Clipboard Access:
- Other applications can read clipboard
- No clipboard isolation
- Platform limitation
Memory:
- Keys in memory while unlocked
- Vulnerable to memory dumps
- Mitigation: auto-lock
Plugins:
- WASM sandbox escape (theoretical)
- Side-channel attacks
- Mitigation: permission limits
Clipboard:
- OS-level clipboard isolation (future)
- Secure clipboard (future)
Memory:
- Hardware security module (future)
- Secure enclave (future)
Plugins:
- Enhanced sandbox (future)
- Formal verification (future)
Internal:
- ENCRYPTION.md - Encryption design
- IPC.md - IPC security
- PLUGIN_SDK.md - Plugin security
External:
Scanning:
- cargo-audit
- npm audit
- cargo-deny
- trivy
Testing:
- cargo-fuzz
- AFL
- libFuzzer
Monitoring:
- auditd (Linux)
- Event Tracing (Windows)
- Unified Logging (macOS)
Security Lead:
- Security architecture
- Vulnerability management
- Security audits
Security Reviewers:
- Code review
- Threat modeling
- Incident response
Security Issues:
- Email: security@openpaste.org (when available)
- GitHub Security Advisory (when available)
General Security:
- GitHub Discussions
- Issues (non-sensitive)
Data Breach:
- Unauthorized data access
- Data exfiltration
- Data corruption
Compromise:
- Code injection
- Supply chain attack
- Credential theft
Denial of Service:
- Service unavailable
- Resource exhaustion
- Attack on availability
Detection:
- Monitoring alerts
- User reports
- Automated detection
Containment:
- Isolate affected systems
- Disable affected services
- Preserve evidence
Eradication:
- Remove threat
- Patch vulnerabilities
- Clean systems
Recovery:
- Restore from backup
- Verify integrity
- Resume operations
Lessons Learned:
- Post-mortem analysis
- Process improvement
- Documentation update
Yes, if encryption is enabled. Data is encrypted at rest using AES-256-GCM. Encryption is optional but recommended.
Yes, this is a platform limitation. OpenPaste cannot prevent other applications from reading the clipboard. We recommend using the system clipboard manager or secure clipboard features when available.
Plugins run in a WASM sandbox with limited permissions. Users must grant permissions explicitly. However, no system is 100% secure, so only install plugins from trusted sources.
By default, the API binds to localhost only, which provides network isolation. For remote access, TLS can be enabled. API tokens are used for authentication.
If encryption is enabled and you forget your master password, your data cannot be recovered. This is intentional for security. We recommend using a password manager to store your master password.
No, OpenPaste does not send data to the cloud by default. All data is stored locally. Optional cloud sync can be enabled, but it requires explicit configuration.
Please report security vulnerabilities privately via email to security@openpaste.org (when available) or via GitHub Security Advisory. Do not report vulnerabilities in public issues.