Only the latest release of the extension (the version currently on the
Chrome Web Store)
and the current main branch receive security fixes.
Please do not open a public issue for security vulnerabilities.
Use GitHub's private vulnerability reporting instead:
Report a vulnerability
(Security tab → "Report a vulnerability"). Include steps to reproduce, the
affected component (extension, or the Cloud Run proxy in server/), and the
impact you see.
You can expect an acknowledgment within a few days. Please give us a reasonable window to ship a fix before any public disclosure.
- The extension stores all profile/resume data locally
(
chrome.storage.local); there is no account system or server-side user data. See PRIVACY.md. - The managed proxy (
server/) holds no user data — only per-user daily request counters. Its threat model, hardening status, and accepted risks are documented in docs/SECURITY.md. - BYO-key mode sends requests directly from your browser to Google's Gemini API; your key never touches any server we run.