We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 3.3.x | ✅ |
| 3.0.x | ✅ |
| < 3.0 | ❌ |
We take the security of PacificOceanAI seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not disclose the vulnerability publicly until it has been addressed
-
Open a private security advisory draft at: https://github.com/BigCatNotFat/PacificOceanAI/security/advisories/new
-
Include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (if available)
-
Allow time for us to respond and fix the issue before public disclosure
-
Provide your contact information so we can follow up with you
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will keep you informed about our progress
- Timeline: We aim to release a fix within 30 days for critical vulnerabilities
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
- Never share your API keys publicly
- Use environment-specific keys for development and production
- Rotate keys regularly if you suspect they may be compromised
- Revoke immediately if a key is exposed
- Download only from official sources such as GitHub releases or a verified extension store listing
- Verify the extension's permissions before installation
- Keep updated to the latest version for security patches
- Review the privacy policy and understand data handling
- Be aware that your text content is sent to third-party AI services
- Review the privacy policies of AI providers you use
- Avoid sending sensitive or confidential information
- Use your own API keys rather than shared accounts
When using PacificOceanAI, your text content is sent to third-party AI services (OpenAI, Anthropic, Google, etc.) based on your configuration. Please:
- Review the privacy policies of these services
- Understand their data retention policies
- Be cautious with sensitive information
- API keys and model settings are stored in browser-managed extension storage
- Data-at-rest protection depends on the browser profile and operating system
- Clearing browser data will remove all stored information
- All API communications use HTTPS
- No data is sent to our servers (we don't have any)
- Extension only operates on Overleaf domains
PacificOceanAI is a browser extension that interacts with Overleaf pages through content scripts and an injected bridge. Security review should pay special attention to:
- extension permission boundaries
- message passing between the page, content script, and extension runtime
- prompt/tool injection attempts through LaTeX project content
- API key handling and OAuth token handling
- document-editing actions that modify user projects
Security updates will be released as soon as possible after a vulnerability is confirmed. Users will be notified through:
- GitHub Security Advisories
- Release notes
- Extension update notifications
This security policy applies to:
- The PacificOceanAI browser extension
- Official distribution channels
- Documentation and examples
It does not apply to:
- Third-party forks or modifications
- User-configured API endpoints
- Third-party AI services
For security concerns, please contact:
- Security advisories: https://github.com/BigCatNotFat/PacificOceanAI/security/advisories/new
- GitHub: @BigCatNotFat
For general questions, please use GitHub Issues or Discussions.
Last Updated: June 28, 2026