Security

Reporting a vulnerability

Do not post security vulnerabilities publicly — not in GitHub issues, not in public forums, not in social channels. Report sensitive issues by email to: [email protected]

What a useful report includes

• affected Lexora version
• browser name and version
• operating system
• reproduction steps or a focused proof of concept
• impact assessment

Security-relevant areas in Lexora

• Provider routing — unintended routing of selected text to external services
• Selected-text handling — unsafe outbound transmission or unintended exposure of selected content
• Extension message boundaries — message spoofing or boundary confusion between page context and extension context
• Token and key leakage — AI provider keys or credentials exposed or logged
• Settings and privacy bypasses — circumventing user-configured privacy controls or provider restrictions

Response

We will acknowledge security reports and coordinate disclosure timing with the reporter. Public credit is available if desired.