Security Policy - ContextFort

Reporting Security Vulnerabilities

Please report security vulnerabilities privately.Do NOT open public issues for security vulnerabilities.

Email

security@contextfort.ai

GitHub

Use Private Vulnerability Reporting

What to Include

Vulnerability Report Details

Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)

Response Timeline

Initial Response

Within 48 hours of report

Status Update

Within 5 business days

Fix Timeline

Based on severity:

Critical: 1-3 days
High: 1 week
Medium: 2 weeks
Low: 1 month

Supported Versions

Version	Supported
1.0.x	✅ Yes
< 1.0	❌ No

Security Update Process

Vulnerability Reported

Via email or private GitHub report

Assessment

Security team evaluates severity and impact

Fix Development

Patch developed and tested

Release

Security update pushed to Chrome Web Store

Disclosure

Public disclosure after fix is deployed (coordinated disclosure)

Security Features

Current Implementation

ContextFort is designed with security-first architecture and local-first processing.

Local Storage Only

No data transmitted to external servers

No Cloud Dependencies

All processing happens in-browser

Content Security Policy

Strict CSP prevents XSS attacks

Minimal Permissions

Only required permissions requested

Open Source

Full code audit available on GitHub

Manifest V3

Latest Chrome extension security standards

Data Security

Screenshots
Sessions
Rules
Analytics

Stored locally in Chrome storage
Encrypted at rest by Chrome
Never transmitted externally

Third Party Dependencies

Runtime Dependencies

PostHog Analytics

Purpose: Optional usage analytics
Can be disabled: Yes, with one line change
Data transmitted: Event names and timestamps only (no PII)
Security: SOC2 compliant vendor

Security Scanning

Dependabot

Automated dependency vulnerability scanning

Regular Audits

Security audits of all dependencies

Prompt Updates

Quick response to known vulnerabilities

Compliance

Current Status

See the Compliance page for detailed roadmap.

Standard	Status	Notes
GDPR	✅ Compliant	Data processing happens locally, no data transmission
CCPA	✅ Compliant	No sale of personal information
HIPAA	✅ Compliant	No PHI transmission, local storage only
SOC2	🔄 In Progress	Q2 2025 (for enterprise features)
ISO 27001	📅 Planned	Q3 2025 (for enterprise features)

Code Security

Repository Security

Branch Protection
Automated Scanning
Commit Security

Protected main branch
Pull request reviews required
Status checks must pass

Extension Security

Manifest V3

Latest Chrome extension security standard

No eval()

No dynamic code execution

Strict CSP

Content Security Policy enforced

Web Store Review

Chrome Web Store security review (pending)

Security Best Practices

For Users:

Clear stored data regularly to minimize PII exposure
Review blocking rules to prevent unauthorized access
Keep extension updated to latest version
Disable analytics if handling sensitive data

For Developers:

Follow secure coding practices
Review security policy before contributing
Report vulnerabilities privately
Sign commits when possible

Contact

For security concerns:

Email

security@contextfort.ai

GitHub

@ContextFort-AI

For general questions, see the README.

Get Started

Core Features

Dashboard

Configuration

Security & Compliance

​Reporting Security Vulnerabilities

Email

GitHub

​What to Include

​Response Timeline

​Supported Versions

​Security Update Process

​Security Features

​Current Implementation

Local Storage Only

No Cloud Dependencies

Content Security Policy

Minimal Permissions

Open Source

Manifest V3

​Data Security

​Third Party Dependencies

​Runtime Dependencies

​Security Scanning

Dependabot

Regular Audits

Prompt Updates

​Compliance

​Current Status

​Code Security

​Repository Security

​Extension Security

Manifest V3

No eval()

Strict CSP

Web Store Review

​Security Best Practices

​Contact

Email

GitHub

Build docs developers (and LLMs) love

Reporting Security Vulnerabilities

What to Include

Response Timeline

Supported Versions

Security Update Process

Security Features

Current Implementation

Data Security

Third Party Dependencies

Runtime Dependencies

Security Scanning

Compliance

Current Status

Code Security

Repository Security

Extension Security

Security Best Practices

Contact