We take the security of DOM Agent seriously. This document outlines our security policies and procedures.

If you discover a security vulnerability in DOM Agent, please help us by reporting it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• security@dom-agent.dev
• Include [SECURITY] in the subject line

When reporting a security vulnerability, please include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity
• Any suggested fixes or mitigations
• Your contact information for follow-up

• Acknowledgment: Within 24 hours of receiving your report
• Investigation: Initial assessment within 3 business days
• Updates: Regular updates on progress (at least weekly)
• Resolution: Timeline depends on severity and complexity

• Input Sanitization: All HTML content is sanitized to prevent XSS attacks
• CSP Headers: Content Security Policy implemented for webview
• Dependency Scanning: Regular security audits of dependencies
• Code Reviews: All changes undergo security-focused code reviews

• JavaScript Interception: Dangerous functions (eval, document.write) are blocked
• DOM Isolation: Webview content is isolated from extension context
• Permission Model: Minimal required permissions for functionality

• No Data Collection: DOM Agent does not collect or transmit user data
• Local Processing: All DOM analysis happens locally
• Clipboard Security: Secure clipboard operations with user consent

• Always validate input data
• Use parameterized queries when applicable
• Implement proper error handling
• Follow the principle of least privilege
• Keep dependencies updated
• Use secure coding practices

• Keep VS Code/Cursor updated
• Use trusted URLs for DOM inspection
• Be cautious with generated code
• Report suspicious behavior

• Critical: Immediate threat to user security or data
• High: Significant security risk with potential for damage
• Medium: Security weakness with limited exploitation potential
• Low: Minor security improvements needed

• Critical: Fix within 24 hours, immediate release
• High: Fix within 3 days, expedited release
• Medium: Fix within 2 weeks, next regular release
• Low: Fix in upcoming releases

We use the following labels for security-related issues:

• 🔴 security/critical: Critical security vulnerability
• 🟠 security/high: High-priority security issue
• 🟡 security/medium: Medium-priority security concern
• 🟢 security/low: Low-priority security improvement
• 🔵 security/enhancement: Security enhancement request

• Security Team: security@dom-agent.dev
• General Support: contact@dom-agent.dev
• Documentation: Security Documentation

We appreciate security researchers who help keep DOM Agent safe. With your permission, we may acknowledge your contribution in our security advisory or changelog.

This security policy is inspired by industry best practices and the OpenSSF Security Guide.