We aim to fix security issues in the latest release and the current main branch.

Please do not report security vulnerabilities through public GitHub issues.

Instead, use one of the following private channels:

• GitHub Private Vulnerability Reporting (preferred, if enabled for this repository)
  Go to the repo → Security tab → Report a vulnerability

If GitHub Private Vulnerability Reporting is not available, contact the maintainer privately:

• Email: info@pentestkit.co.uk

When reporting, please include:

• A clear description of the vulnerability and impact
• Steps to reproduce (PoC if possible)
• Affected versions / browsers (Chromium / Firefox)
• Any relevant logs, screenshots, or sample payloads
• Your suggested fix (optional)

• We will acknowledge receipt of your report within 7 days.
• We will investigate and work on a fix as quickly as possible.
• We may request additional details to reproduce the issue.
• Once fixed, we will coordinate disclosure and credit (if you want it).

• Please allow a reasonable time for us to patch before public disclosure.
• If the issue is actively exploited or high severity, we will prioritize it and may publish mitigations sooner.

PTK interacts with:

• web pages and the DOM (content scripts)
• background logic and storage
• scanning modules that may generate requests/payloads

If you suspect a vulnerability that could impact:

• extension integrity (privilege escalation, RCE, data exfiltration)
• unsafe default behavior (out-of-scope attacks, destructive actions)
• supply chain risks …please report it privately using the process above.