Security fixes are applied to the latest release published on the Chrome Web Store and to the default branch of this repository (main). Older store builds or tags are not guaranteed to receive backports.
Please do not open a public issue for undisclosed security problems.
- Preferred: Use GitHub private vulnerability reporting for this repository.
- If that is unavailable, open a draft security advisory or contact the maintainers through a private channel they have published on their profile or project pages.
Include as much as you can: affected version or commit, reproduction steps, impact, and any suggested fix.
Examples of reports we want to hear about:
- Issues that could expose user data beyond what the extension is designed to do (e.g. unexpected exfiltration of browsing data or stored settings).
- Permission abuse or network misuse (e.g. calls to hosts not covered by the declared
host_permissions, or unexpected use oftabs/ storage). - Integrity of the distributed package (e.g. supply-chain or build concerns you believe affect published artifacts).
Out of scope for this project (by design or limitation):
- Findings that depend on malicious extensions already installed in the browser.
- DNS spoofing or compromised DoH resolvers on the client network (the extension trusts configured DoH endpoints similarly to other DNS clients).
- Purely informational DNS or email-configuration results (SPF/DMARC/DKIM scores are assessments, not secrets).
We aim to acknowledge valid reports promptly and to ship fixes through the normal extension update process. We appreciate responsible disclosure and credit researchers when publishing advisories, unless you prefer to remain anonymous.