Strong Password Generator handles cryptographic randomness and the user's clipboard, so security reports are taken seriously. Thank you for helping keep users safe.

Only the latest 2.x release published to the Chrome Web Store receives security updates. Older 1.x builds were a separate codebase (Manifest V2, no CSPRNG) and are no longer maintained; please upgrade.

Please do not open a public GitHub issue for security problems.

Report privately through GitHub's built-in private vulnerability reporting:

1. Go to https://github.com/ProductOfAmerica/PasswordGenerator/security/advisories/new
2. Describe the issue with reproduction steps, affected versions, and impact.
3. Include a proof of concept if one is feasible.

If you cannot use GitHub Security Advisories for any reason, open an issue titled "security contact request" (no details) at https://github.com/ProductOfAmerica/PasswordGenerator/issues and a private channel will be arranged.

This is a solo-maintained project, so timelines are best-effort:

• Acknowledgement: within 7 days of report.
• Triage and severity assessment: within 14 days.
• Fix and Chrome Web Store submission: target within 30 days for confirmed high-severity issues; lower-severity issues are batched into the next release.
• Public disclosure: coordinated with the reporter, typically after a fix has rolled out via the Chrome Web Store. Reporters are credited in the release notes unless they request otherwise.

If a report is declined (out of scope, not reproducible, expected behavior, etc.), you will receive a written explanation.

In scope:

• Flaws in random number generation, including bias in getRandomIndex() or the Fisher-Yates shuffle in src/utils/password.ts.
• Generated passwords being written to disk, chrome.storage, the network, the DOM outside the popup, or any persistence layer.
• Failure of the 30-second clipboard auto-clear, or any path that leaks the clipboard to other origins or extensions.
• Privilege escalation, permission abuse, or any feature that requires permissions beyond storage.
• Vulnerable dependencies that affect the production extension bundle (not dev-only tooling).
• Manifest V3 permission or CSP misconfigurations in wxt.config.ts or the generated manifest.
• Cross-site scripting, prototype pollution, or injection in the popup, welcome page, or privacy page.

Out of scope:

• Vulnerabilities that require a pre-compromised browser, malicious extension already installed, or physical device access.
• Issues in development dependencies that do not ship in the production build (e.g. test runners, build tools).
• Reports generated by automated scanners without a working proof of concept.
• Self-XSS or social engineering of the end user.
• Weaknesses in third-party services Chrome itself provides (Sync, Web Store, the browser's CSPRNG implementation).
• Generated passwords being "guessable" when the user disables character classes or chooses a very short length; this is a configuration choice, not a vulnerability.

Good-faith security research conducted under this policy is welcomed. Researchers who:

• avoid privacy violations, data destruction, and service disruption,
• only test against their own browser profile and installation,
• give a reasonable window to fix the issue before public disclosure,

will not have legal action pursued against them for that research.

For context when assessing reports, the extension already does the following (see README.md and src/utils/password.ts):

• All randomness comes from crypto.getRandomValues(). Math.random() is not used anywhere in generation paths.
• Rejection sampling eliminates modulo bias for arbitrary range sizes.
• Generated passwords live only in reactive component state; nothing is persisted to chrome.storage, localStorage, IndexedDB, or the network.
• The clipboard is cleared 30 seconds after copy.
• The extension declares only the storage permission. No tabs, activeTab, host_permissions, or content scripts.
• All assets (fonts, images, scripts) are bundled locally; the extension makes zero network requests at runtime.
• Dependencies are tracked by Dependabot, with pnpm overrides used to force-upgrade transitive packages flagged in security advisories.

If a report contradicts any of the above, please call that out explicitly so it can be prioritized.