We actively support the following versions of Smart Form Filler with security updates:

We take security seriously. If you discover a security vulnerability in Smart Form Filler, please follow these guidelines:

DO NOT create a public GitHub issue for security vulnerabilities.

Please report security vulnerabilities by emailing us at:

• Security Team: Create a private security advisory

When reporting a vulnerability, please include:

1. Description: Clear description of the vulnerability
2. Steps to Reproduce: Detailed steps to reproduce the issue
3. Impact: Potential impact and severity assessment
4. Environment: Browser version, OS, extension version
5. Evidence: Screenshots, logs, or proof-of-concept (if safe to share)

• Initial Response: Within 48 hours
• Assessment: Within 7 days
• Resolution: Depends on severity, typically within 30 days
• Disclosure: Coordinated disclosure after fix is available

We consider the following in scope for security reports:

• Data Exfiltration: Unauthorized access to user data
• Code Injection: XSS, script injection, or similar attacks
• Permission Escalation: Gaining unauthorized browser permissions
• Authentication Bypass: Circumventing security controls
• AI Model Abuse: Malicious use of AI integration

• Information Disclosure: Unintended information exposure
• Session Management: Issues with state or session handling
• Input Validation: Improper validation leading to security issues
• Dependency Vulnerabilities: Known vulnerabilities in dependencies

• Social Engineering: Attacks requiring user social engineering
• Physical Security: Physical access to user devices
• Denial of Service: Simple DoS attacks without data compromise
• Rate Limiting: Issues that don't lead to data exposure
• UI/UX Issues: That don't have security implications

We implement several security measures:

• Minimal Permissions: Only request necessary browser permissions
• Content Security Policy: Strict CSP to prevent injection attacks
• Input Sanitization: All user inputs are properly validated
• Secure Communication: HTTPS for all external communications

• API Authentication: Secure API endpoint protection
• Input Validation: Comprehensive input validation and sanitization
• Error Handling: Secure error messages without information leakage
• Dependency Management: Regular updates and vulnerability scanning

• Data Privacy: Local processing when possible (Ollama)
• Prompt Injection Protection: Safeguards against malicious prompts
• Model Isolation: Isolated model execution environments
• Rate Limiting: Protection against abuse

We believe in responsible disclosure and will:

• Credit researchers in release notes (unless anonymity is requested)
• Provide timeline updates throughout the resolution process
• Publish advisories for significant vulnerabilities after fixes are deployed

• OWASP Browser Security Guide
• Chrome Extension Security Best Practices
• Node.js Security Best Practices

• Security Advisories: GitHub Security Advisories
• General Questions: Create an Issue
• Documentation: Contributing Guidelines

Thank you for helping keep Smart Form Filler secure! 🔒