Description
As a Chrome Extension that requests high-level permissions for Gmail, it is critical that we clearly communicate our security posture to users and contributors. We need to formalize our "Zero external data storage" claim and define the process for reporting vulnerabilities.
Requirements
- Vulnerability Disclosure Policy: Define a clear process (e.g., security email or GitHub Private Vulnerability Reporting) for researchers to report bugs without public disclosure.
- Data Handling Transparency: Explicitly document that all Gmail data processing occurs within the Chrome Storage API and local browser memory, never touching external servers.
- OAuth Scopes Disclosure: List the specific Gmail API scopes used and explain why they are necessary (e.g.,
https://www.googleapis.com/auth/gmail.modify for bulk deletion).
- Security Updates: Define the expected timeline for patching dependencies identified by GitHub Dependabot.
Implementation Plan
- Drafting: Create a
SECURITY.md file in the root directory.
- Architecture Section:
* Explain the shift from Backend-API to Browser Automation/Content Scripts to highlight reduced data exposure.
* Detail how OAuth tokens are stored securely using chrome.storage.local vs session storage.
- Reporting: Provide a dedicated contact method for security concerns to prevent "zero-day" exploits from being posted in public Issues.
Description
As a Chrome Extension that requests high-level permissions for Gmail, it is critical that we clearly communicate our security posture to users and contributors. We need to formalize our "Zero external data storage" claim and define the process for reporting vulnerabilities.
Requirements
https://www.googleapis.com/auth/gmail.modifyfor bulk deletion).Implementation Plan
SECURITY.mdfile in the root directory.* Explain the shift from Backend-API to Browser Automation/Content Scripts to highlight reduced data exposure.
* Detail how OAuth tokens are stored securely using
chrome.storage.localvssession storage.