Skip to content

Security: gantrydev/aimask

Security

SECURITY.md

Security Policy

aimask custodies a user's OpenRouter credential and meters their spend, so security reports are treated as high priority.

Reporting a vulnerability

Please do not open a public issue for a security problem. Instead, report it privately:

Include the affected component (extension background worker, the page ↔ background bridge, the @aimask/sdk package, or the site), a description, reproduction steps, and the impact. Expect an acknowledgement within 3 business days, and a fix or mitigation plan within 14 days for confirmed issues.

Scope

In scope:

  • The extension: credential storage, the inpage ↔ content ↔ background bridge, and consent / budget enforcement.
  • The @aimask/sdk package.
  • The wire protocol and its trust boundaries: see SPEC.md §2 (design principles, especially key custody and untrusted outputs) and §10 (iframe / origin rules).

Out of scope: vulnerabilities in OpenRouter, in the browser itself, or in a website that consumes window.aimask. Per SPEC.md §2, model outputs are untrusted; a site that mishandles a completion is the site's bug, not aimask's.

What matters most

The credential never leaves the background worker and is stored encrypted (AES-GCM-256). Any path by which a page, content script, or the SDK can read the credential, spend without a matching grant, or exceed a granted per-origin budget is the highest severity.

There aren't any published security advisories