We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 4.1.x | ✅ |
| 4.0.x | ✅ |
| < 4.0 | ❌ |
If you discover a security vulnerability in GenAI Browser Tool, please report it responsibly:
- DO NOT create a public GitHub issue
- DO NOT disclose the vulnerability publicly until it has been addressed
- DO email security concerns directly to: aaronsequeira12@gmail.com
- DO provide detailed information about the vulnerability
When reporting a security vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Reproduction: Step-by-step instructions to reproduce
- Evidence: Screenshots, logs, or proof of concept (if applicable)
- Environment: Browser version, extension version, operating system
- Contact: Your preferred method of communication for follow-up
- Acknowledgment: Within 48 hours of report
- Initial Assessment: Within 5 business days
- Status Updates: Weekly until resolution
- Resolution: Target 30 days for critical issues, 90 days for others
The extension implements a strict Content Security Policy:
{
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://api.openai.com https://api.anthropic.com https://generativelanguage.googleapis.com;"
}
}All user inputs are validated and sanitized:
- HTML Sanitization: Using DOMPurify to prevent XSS
- Content Length Limits: Maximum content size enforcement
- Input Type Validation: Schema validation using Zod
- URL Validation: Safe URL pattern checking
- Encrypted Storage: API keys encrypted using Chrome storage
- Memory Protection: Keys cleared from memory after use
- Transmission Security: HTTPS-only API communication
- Access Control: Restricted to authorized contexts only
- Local Processing: When possible, data processed locally
- Minimal Data Collection: Only necessary data collected
- Data Retention: Automatic cleanup of old data
- User Control: Users can delete their data anytime
- Keep Extension Updated: Always use the latest version
- Secure API Keys: Use separate API keys for different applications
- Review Permissions: Understand what permissions the extension requests
- Monitor Usage: Regularly review your API usage and costs
- Report Issues: Report any suspicious behavior immediately
- Code Review: All code changes require security review
- Dependency Scanning: Regular dependency vulnerability scanning
- Security Testing: Automated security testing in CI/CD
- Principle of Least Privilege: Minimal permission requests
- Input Validation: Validate all inputs at boundaries
Risk: API keys could be exposed through debugging or malicious code
Mitigation:
- Keys encrypted in storage
- No keys in source code or logs
- Memory clearing after use
Risk: Malicious content could execute scripts
Mitigation:
- DOMPurify sanitization
- Content Security Policy
- Input validation and escaping
Risk: Sensitive content sent to AI providers
Mitigation:
- User awareness and consent
- Local processing when possible
- Data minimization practices
Risk: API communication interception
Mitigation:
- HTTPS-only communication
- Certificate pinning (where applicable)
- Request signing
- GDPR: European privacy regulation compliance
- CCPA: California privacy law compliance
- Data Minimization: Collect only necessary data
- Right to Deletion: Users can delete their data
- OWASP Top 10: Address common vulnerabilities
- Chrome Web Store Policies: Compliance with store requirements
- Security by Design: Security considerations in all features
- Primary Contact: Aaron Sequeira (aaronsequeira12@gmail.com)
- Technical Lead: Development team
- Security Advisor: External security consultant (if needed)
- Detection: Vulnerability identified or reported
- Assessment: Evaluate severity and impact
- Containment: Implement immediate mitigations
- Investigation: Determine root cause and scope
- Resolution: Develop and deploy fix
- Communication: Notify affected users
- Documentation: Update security documentation
- Prevention: Implement measures to prevent recurrence
Critical:
- Remote code execution
- Arbitrary file access
- API key theft
- Complete system compromise
High:
- Privilege escalation
- Significant data exposure
- Authentication bypass
- Persistent XSS
Medium:
- Limited data exposure
- Reflected XSS
- CSRF vulnerabilities
- Information disclosure
Low:
- Minor information leakage
- Configuration issues
- Non-security functionality issues
- Security fixes prioritized over feature development
- Patches tested thoroughly before release
- Emergency releases for critical vulnerabilities
- Security advisories published when appropriate
- Critical Issues: Immediate notification via extension update
- Important Issues: Email notification to registered users
- General Issues: Release notes and changelog
- Chrome Extension Security
- OWASP Web Application Security
- Mozilla Web Security Guidelines
- Google Security Best Practices
For security-related questions or concerns:
- Email: aaronsequeira12@gmail.com
- Subject Line: [SECURITY] GenAI Browser Tool - [Brief Description]
- PGP Key: Available upon request
This security policy is reviewed and updated quarterly. Last updated: November 2024