If you discover a security vulnerability in this extension, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Send an email to: [belajar.nizen@gmail.com] — or — Use GitHub Security Advisories to report privately
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix release | Within 30 days of confirmation |
This extension follows strict security principles:
- Zero network calls — The extension never makes HTTP requests, WebSocket connections, or any form of external communication
- No dynamic code execution — No
eval(),new Function(), orinnerHTMLwith user data - Minimal permissions — Only
storage,notifications, andtabsare requested - Local-only data — All settings stored via
browser.storage.local, never synced externally - Content Script isolation — Runs only on OWA-pattern URLs, verified by DOM detection at runtime
- No third-party dependencies — Pure vanilla JavaScript, no external libraries or CDNs
| Version | Supported |
|---|---|
| 2.0.x | ✅ Active |
| < 2.0 | ❌ End of life |
The following are in scope for security reports:
- Data leaks (email content, folder names, credentials)
- Cross-site scripting (XSS) via DOM manipulation
- Privilege escalation beyond declared permissions
- Unintended network requests
- Information disclosure via browser console logging
The following are out of scope:
- Issues requiring physical access to the user's machine
- Social engineering attacks
- Vulnerabilities in Firefox itself
- Denial of service via CPU usage (1-second polling is by design)