whitelabel.dev

/ security

security & disclosure

effective may 12, 2026 · version 1.0

tl;dr — if you find a security issue in the whitelabel extension or whitelabel.dev, please email security@whitelabel.dev. we'll acknowledge within 72 hours, work with you on a fix, and credit you in the release notes once it's shipped. test responsibly and we won't pursue legal action.

/01 reporting a vulnerability

send a write-up to security@whitelabel.dev. please include:

  • component — extension version, browser, OS; or the url on whitelabel.dev
  • impact — what an attacker can do
  • reproduction — minimal steps, ideally with screenshots, video, or a proof-of-concept
  • your handle — if you'd like credit when we publish the fix

encrypted email is fine — request our pgp key in your first message and we'll reply with the fingerprint.

/02 response timeline

  • 72 hours — we acknowledge your report and assign it an internal id.
  • 7 days — we share a triage assessment (severity, likely fix path).
  • 30–90 days — we ship a fix in a tagged release. critical issues are turned around faster; complex changes can take longer, and we'll keep you in the loop.
  • after fix — coordinated disclosure: you get credit (if you want it), and we publish a brief advisory in the release notes.

/03 what's in scope

  • the whitelabel browser extension on every officially supported store (chrome, edge, firefox, safari)
  • the whitelabel.dev website, including all subpaths under the apex domain
  • any whitelabel-operated production service that the extension or site relies on

out of scope

  • third-party services we integrate with — report those to the third party directly (anthropic, openai, google, etc.)
  • denial-of-service attacks, social engineering, or physical-security issues
  • vulnerabilities requiring an already-compromised device or stolen credentials with no privilege escalation
  • missing security headers without a demonstrable exploit
  • self-xss that requires the victim to paste attacker-supplied code into their own devtools

/04 safe harbor

if you make a good-faith effort to follow this policy, we will:

  • not pursue or support legal action against you for your research
  • work with you to understand and resolve the issue quickly
  • publicly credit you when the fix ships, if you'd like

please: do not access data that isn't yours, do not disrupt our service or other users, do not run automated scans against production without prior coordination, and give us a reasonable window to fix the issue before publicly disclosing it.

/05 supported versions

we support the latest published release of the extension on each store. older versions only receive fixes for the most severe (critical / high) issues — please update to the latest version before reporting a bug as a vulnerability. the website is updated continuously.

/06 ai-specific considerations

the extension uses ai providers via your own api key. issues stemming from a model's behavior (jailbreaks, prompt-injection in third-party content) are largely the provider's responsibility — please report those to the relevant provider. however, if you find a way to leak your data or another user's data through the extension's ai integration, that's in scope and we want to hear about it.

/07 contact

security: security@whitelabel.dev · everything else: hi@whitelabel.dev.

related: privacy policy · terms of service · extension home