This extension runs entirely locally with zero network requests and zero runtime dependencies, minimizing the attack surface.
| Version | Supported | Status |
|---|---|---|
| 1.0.x | β | Active |
| < 1.0 | β | EOL |
- Email: json-anonymizer-security@proton.me
- Expected Response: 48-72 hours
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: You'll receive confirmation within 48 hours
- Investigation: We'll investigate and verify the issue
- Fix Development: Critical issues will be patched immediately
- Disclosure: Coordinated disclosure after fix is released
- Credit: Security researchers will be credited (unless you prefer anonymity)
- β Processes JSON files locally only
- β No network requests ever made
- β No data collection or telemetry
- β No external dependencies at runtime
- β No file system access beyond user selection
- β No persistent storage
- β Cannot send data externally
- β Cannot access other extensions
- β Cannot read files without user action
- β Cannot execute external commands
- β Cannot modify system settings
{
"runtime_dependencies": 0,
"dev_dependencies": "pinned versions only",
"security_scanning": "GitHub Dependabot enabled",
"build_verification": "npm audit on every build",
"code_review": "all changes reviewed before merge"
}- No new runtime dependencies without justification
- All dev dependencies pinned to specific versions
- No network requests
- No file system access beyond VSCode API
- No eval() or dynamic code execution
- No external command execution
- Input validation for all JSON parsing
- Signed commits preferred
In case of a security incident:
- Immediate: Vulnerable versions will be deprecated
- Within 24h: Security patch released
- Within 48h: All users notified via GitHub
- Within 7d: Post-mortem published
Not applicable (VSCode extension, not web application)
You can verify the extension's behavior:
- Check network tab - no requests
- Review source code - fully open source
- Check permissions - minimal VSCode API usage
- Monitor file system - no unexpected file access
This is a personal open-source project without a formal bug bounty program. However, security researchers who report valid vulnerabilities will be:
- Credited in the CHANGELOG
- Thanked in the release notes
- Added to SECURITY.md acknowledgments
| Date | Issue | Severity | Status |
|---|---|---|---|
| None | No security issues reported to date | N/A | β |
- Security Issues: json-anonymizer-security@proton.me
- General Issues: Use GitHub Issues
- Response Time: Best effort, typically 48-72 hours
Thanks to the following security researchers:
- Your name could be here
Last Updated: January 2025
Next Review: April 2026
This is a personal open-source project. While I take security seriously and will address issues promptly, this software is provided "AS IS" without any warranty. See LICENSE for full details.