Security Policy

We take the security of 2FA Authenticator seriously. Because this extension stores TOTP secrets, any vulnerability has direct impact on user account security across third-party services.

Reporting a Vulnerability

Please do not report security issues through public GitHub issues, the Chrome Web Store reviews, or social media. Instead, email security@authenticator.sh with a description of the issue, steps to reproduce, the affected version, and your name or handle if you would like public credit.

Response Timeline

Acknowledgment: within 72 hours
Initial assessment: within 7 days
Fix or mitigation timeline: within 14 days, depending on severity

If you do not receive a response within 72 hours, please follow up — your message may have been filtered.

Scope

In scope

• Browser extension code
• Build and release pipeline
• Storage of TOTP secrets and backups
• Cryptographic implementation
• Third-party dependency vulnerabilities

Out of scope

• Third-party services using TOTP
• Vulnerabilities in Chrome itself
• Social engineering of users
• Physical access attacks
• Denial of service

Safe Harbor

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Avoid privacy violations, data destruction, and service disruption
• Do not access or modify data beyond what is necessary to demonstrate the issue
• Do not exploit the vulnerability beyond confirming its existence
• Report the issue promptly and do not disclose it publicly before coordination

We follow coordinated disclosure. Please give us a reasonable window (typically 90 days, or sooner if a fix ships) before public disclosure. We credit reporters in release notes unless you prefer to remain anonymous.

Machine-readable contact: /.well-known/security.txt