Security

Data flow during a live session

Every session follows the same pipeline:

1. Audio capture (local). The desktop app reads your microphone via the OS audio API. Audio bytes never leave your machine.
2. Transcription (local). A bundled Whisper-class speech-to-text model converts audio to text on your CPU/GPU. The transcribed text stays in the app's memory.
3. AI prompt (encrypted to provider). Only the transcribed question, your stored resume context (if uploaded), and a small system prompt are sent over HTTPS to the AI provider you selected at session start (OpenAI, Anthropic Claude, Google Gemini, Groq, or xAI).
4. AI response (encrypted from provider). The AI provider returns the answer over the same encrypted connection. The answer renders in the desktop app overlay.
5. End of session. The transcript and AI response are kept in app memory until you close the session. Optional: you can save a session summary locally to your machine.

What we never do

What we do store

• Account email. Used for login and license-key delivery. Stored encrypted at rest in Supabase.
• License key. One per paid plan. Tied to your email. Stored encrypted at rest.
• Subscription status. Provided by Stripe. We store the tier and billing period; we do not store credit card numbers (Stripe handles those).
• Session counters. Daily/monthly counts of how many sessions you've used (so we can enforce plan limits). We do NOT store the content of those sessions.
• Anonymous error logs. If the desktop app crashes, an anonymized error report (no audio, no transcripts, no PII) is sent to help us debug.

Encryption and transport

• HTTPS/TLS 1.2+ for all API requests from the desktop app and the website.
• Strict-Transport-Security with HSTS preload on copilotinterview.com.
• API keys for AI providers are stored encrypted in the desktop app's local credentials store (OS keychain on macOS, DPAPI on Windows).
• Cloudflare in front of the website with WAF rules and DDoS protection.

Ghost Mode / screen-share safety

The desktop app's main window is rendered via the OS native window manager, not in a browser tab. This means:

• Browser-based screen sharing on Zoom, Teams, and Google Meet only captures the browser tab being shared. The CoPilot Interview window is not in that tab and therefore not in the share.
• Full-display screen sharing WILL show all windows including ours. Users who do full-display sharing can lower CoPilot Interview's opacity to make it visually unobtrusive, or move it to a secondary monitor.
• Most candidates use tab/window sharing rather than full-display, by interviewer convention.

This is a UX feature, not a defeat-the-interviewer guarantee. The screen-share-safety claim covers the common case of standard-window sharing; users are responsible for understanding their own interview-platform settings.

Responsible disclosure program

If you are a security researcher, ethical hacker, or curious engineer who finds a vulnerability in the CoPilot Interview desktop app, this website, or our API, we want to hear from you. We run an informal community bug-bounty program based on responsible disclosure principles.

How to report a vulnerability

• Email [email protected] with subject starting with Security:
• Or use the contact in our /.well-known/security.txt file (RFC 9116, the standard for security contact disclosure).
• Include reproduction steps, affected version or URL, expected vs actual behavior, and any proof-of-concept code if you have it.

Our commitment to you

• Acknowledged within 1 business day. Every responsible-disclosure report gets a human reply, not an autoresponder.
• Triage within 5 business days. We'll confirm severity, scope, and a patch timeline.
• Public credit on request. Valid reports get researcher credit in our changelog and a thank-you on this page (with your permission).
• Swag for the first reporter. The first researcher to report a valid issue gets CoPilot Interview swag mailed to them.
• No legal action against good-faith research. We will not pursue legal action against researchers who follow this responsible-disclosure policy.

What we ask in return

• Give us 90 days from the date of your report to investigate, patch, and notify users before public disclosure.
• Don't access, modify, or delete data that doesn't belong to your own test account.
• Don't run automated scanners or brute-force tools against production. (We do see them; they trigger our WAF.)
• Don't perform social-engineering attacks on our team or customers.
• Don't publish or sell vulnerability details before we've had time to patch.

In scope

• The desktop app (Windows and macOS builds from downloads.copilotinterview.com)
• copilotinterview.com and all subdomains
• The Stripe checkout integration where it touches our endpoints (NOT Stripe itself)
• The Supabase-backed account and licensing API

Out of scope

• Vulnerabilities in third-party AI providers (OpenAI, Anthropic, Google, Groq, xAI) — report those to the providers directly
• Issues only reproducible on outdated browsers or unsupported OS versions
• Self-XSS, missing security headers without a demonstrated exploit, descriptive error messages, or theoretical issues without proof-of-concept
• Rate-limiting or DoS bugs on public endpoints (a feature, not a bug, for an unauthenticated demo page)
• Reports generated by automated scanners without manual verification

About the bug bounty

We do not currently run a paid bug bounty program with cash rewards — we are a small team and cannot match the budgets of HackerOne or Bugcrowd platforms. We do offer swag, public credit, and our genuine gratitude. As the company grows, paid rewards are on the roadmap. If you find an issue and would prefer cash compensation, let us know in your report and we will see what we can arrange on a case-by-case basis.