LiveCap is a client-side-only web application. There is no backend server, database, or API in the current free-tier implementation. All processing happens in the user's browser.

• Does not transmit recordings to any server
• Does not store recordings outside the user's browser (IndexedDB is local-only)
• Does not collect user data or analytics beyond what the deployment host may log
• Does not require user accounts or authentication
• Does not use cookies

• getDisplayMedia — screen/window/tab capture (user must explicitly approve)
• getUserMedia (audio) — microphone access (user must explicitly approve)
• getUserMedia (video) — webcam access (user must explicitly approve; optional)
• IndexedDB — local chunk storage during recording (no network access)

All permission prompts are initiated by user action (clicking "Start Recording") and governed by the browser's built-in permission model. No permissions are requested silently or on page load (except microphone enumeration for the device list).

The Netlify and Vercel configs include:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin

If you discover a security vulnerability in LiveCap, please do not open a public GitHub issue.

Instead, report it responsibly:

1. Email: Send details to the maintainer via the contact listed in the GitHub repository

2. Include:

   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested mitigations (optional)

3. Response timeline:

   • Acknowledgement within 48 hours
   • Assessment and severity rating within 7 days
   • Fix or mitigation within 30 days for confirmed issues

We appreciate responsible disclosure and will credit researchers in the CHANGELOG when a fix is released (with your permission).

• Safari compatibility: MediaRecorder with VP9/VP8 codecs is not supported in Safari. LiveCap falls back to plain video/webm, which some Safari versions may refuse to play back. This is a browser limitation, not a security issue.
• Recording content: LiveCap cannot prevent users from recording sensitive content visible on their screen. Users are responsible for what they choose to capture and share.
• Watermark bypass (Free tier): The watermark is applied in the browser's canvas. A technical user could modify the source to remove it. This is a known limitation of client-side enforcement.