CloakDrop is a privacy-first download manager. We take security and privacy seriously and appreciate responsible disclosure.
Only the latest released version receives security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Please do not open a public issue for security vulnerabilities.
Instead, report it privately through GitHub Security Advisories:
➡️ https://github.com/cloakyard/cloakdrop/security/advisories/new
Please include:
- A description of the vulnerability and its potential impact.
- Clear steps to reproduce (a proof of concept if possible).
- The affected version / commit and your environment (macOS version).
What to expect:
- Acknowledgement within 48 hours.
- A status update within 7 days.
- Credit in the release notes when the fix ships, unless you prefer to remain anonymous.
CloakDrop is a native, sandboxed macOS app designed to minimize attack surface:
- No server, no account, no telemetry. Nothing is uploaded and nothing phones home. The only network egress is to the URLs you explicitly choose to download (and, when you configure one, your proxy).
- Sandboxed. The app runs under the macOS App Sandbox with the hardened runtime. It accesses only the folders you point it at, via security-scoped bookmarks.
- Local-only state. Download history and settings are stored in a local SQLite database that you can export or delete at any time.
- Credentials in the Keychain. Saved per-site HTTP/FTP logins and the manual-proxy password are stored in the macOS Keychain, never in the plaintext settings database. The on-disk proxy password field is blanked and rehydrated into memory only at runtime.
- Third-party dependencies. CloakDrop's only third-party Swift dependency is GRDB (SQLite).
Two native command-line tools are also bundled as code-signed, sandboxed helper binaries:
ffmpeg (stream-copy muxing) and yt-dlp (a read-only page→formats resolver). Both run
in-sandbox as
inherit-entitled children, only ever read or transform local data, and add no network egress of their own — the app's engine performs every download. Dependencies are kept minimal and reviewed before being added. - Downloaded content. CloakDrop transfers files but does not execute them, and stamps the
com.apple.quarantineflag on saved files so Gatekeeper vets them on first open. Always verify what you download; use the built-in checksum verification and the Provenance Receipt when an expected hash or signature is available. - Archive extraction. Optional native ZIP auto-extraction is hardened against Zip-Slip path traversal and decompression bombs (compression-ratio + hard per-entry size caps), and runs only after the checksum verifies; each extracted file is quarantine-stamped. Only ZIP is handled natively — no third-party archive library is bundled.
- macOS / system vulnerabilities should be reported to Apple.
This policy covers the CloakDrop application and the DownloaderCore package in this
repository. Issues in third-party dependencies should also be reported upstream.