Security

Found something? We want to hear it.

Last updated July 9, 2026

Cover redacts sensitive documents, so getting security right matters. If you find a vulnerability in the app or this website, please tell us. Here is how, and what to expect.

Report a vulnerability

[email protected]

How to report

Email [email protected] with enough detail to reproduce the issue: what you did, what you saw, and why it matters. A proof-of-concept, screenshots, or a sample file help us confirm and fix it quickly. If you use only synthetic or your own test data, please say so.

Scope

Good-faith safe harbor

We welcome good-faith security research. If you make a genuine effort to follow this policy, avoid privacy violations and data destruction, and do not degrade the service for others, we will not pursue legal action against you for your research, and we will work with you to understand and resolve the issue.

What to expect

We aim to acknowledge your report within about seven days. We will keep you updated as we investigate, and we are glad to credit you once a fix ships, if you would like.

Security architecture

Cover is built so that a redaction is only saved if the sensitive content is provably gone. Two independent, fail-closed checks run near the end of every redaction, and either one can stop the file from being written:

Because both checks fail closed, the safe outcome when something is uncertain is to stop, not to ship a document with hidden text still recoverable underneath.

A note on privacy

Redaction runs entirely on your Mac. Your documents are never uploaded, so a report about redaction quality never needs to include a real sensitive document. Synthetic samples are perfect. See our privacy policy for how the app and website handle data.