Do not open public GitHub issues for security vulnerabilities.
Report vulnerabilities through:
- GitHub Security Advisories (preferred): Create a private security advisory
- Description of the vulnerability and potential impact
- Steps to reproduce or a minimal proof of concept
- The version(s) affected
- Acknowledgment within 48 hours
- Status update within 7 days
- Credit in the release notes (unless you prefer to stay anonymous)
| Version | Supported |
|---|---|
| Latest | Yes |
- Local-only communication: WebSocket between extension and server runs on localhost only
- Origin validation: Server rejects connections from non-extension origins
- No data exfiltration: Nothing leaves your machine. No cloud, no telemetry, no analytics
- Minimal permissions: Extension requests only the Chrome permissions it needs
- Strict TypeScript: Compiled with strict mode to reduce runtime errors
In-scope:
- WebSocket security issues (authentication bypass, injection)
- Chrome extension permission escalation
- Data leakage through the MCP protocol
- Dependency vulnerabilities with a realistic exploit path
Out of scope:
- Issues in Chrome itself or the MCP SDK
- Denial of service via local WebSocket flooding
- Social engineering attacks