Skip to content

Security: BigCatNotFat/PacificOceanAI

Security

SECURITY.md

Security Policy

Supported Versions

We release patches for security vulnerabilities for the following versions:

Version Supported
3.3.x
3.0.x
< 3.0

Reporting a Vulnerability

We take the security of PacificOceanAI seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please Do Not

  • Do not open a public GitHub issue for security vulnerabilities
  • Do not disclose the vulnerability publicly until it has been addressed

Please Do

  1. Open a private security advisory draft at: https://github.com/BigCatNotFat/PacificOceanAI/security/advisories/new

  2. Include:

    • A description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact
    • Any suggested fixes (if available)
  3. Allow time for us to respond and fix the issue before public disclosure

  4. Provide your contact information so we can follow up with you

What to Expect

  • Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
  • Updates: We will keep you informed about our progress
  • Timeline: We aim to release a fix within 30 days for critical vulnerabilities
  • Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

Security Best Practices for Users

API Key Security

  • Never share your API keys publicly
  • Use environment-specific keys for development and production
  • Rotate keys regularly if you suspect they may be compromised
  • Revoke immediately if a key is exposed

Extension Security

  • Download only from official sources such as GitHub releases or a verified extension store listing
  • Verify the extension's permissions before installation
  • Keep updated to the latest version for security patches
  • Review the privacy policy and understand data handling

Data Privacy

  • Be aware that your text content is sent to third-party AI services
  • Review the privacy policies of AI providers you use
  • Avoid sending sensitive or confidential information
  • Use your own API keys rather than shared accounts

Known Security Considerations

Third-Party AI Services

When using PacificOceanAI, your text content is sent to third-party AI services (OpenAI, Anthropic, Google, etc.) based on your configuration. Please:

  • Review the privacy policies of these services
  • Understand their data retention policies
  • Be cautious with sensitive information

Local Storage

  • API keys and model settings are stored in browser-managed extension storage
  • Data-at-rest protection depends on the browser profile and operating system
  • Clearing browser data will remove all stored information

Network Security

  • All API communications use HTTPS
  • No data is sent to our servers (we don't have any)
  • Extension only operates on Overleaf domains

Browser Extension Attack Surface

PacificOceanAI is a browser extension that interacts with Overleaf pages through content scripts and an injected bridge. Security review should pay special attention to:

  • extension permission boundaries
  • message passing between the page, content script, and extension runtime
  • prompt/tool injection attempts through LaTeX project content
  • API key handling and OAuth token handling
  • document-editing actions that modify user projects

Security Updates

Security updates will be released as soon as possible after a vulnerability is confirmed. Users will be notified through:

  • GitHub Security Advisories
  • Release notes
  • Extension update notifications

Scope

This security policy applies to:

  • The PacificOceanAI browser extension
  • Official distribution channels
  • Documentation and examples

It does not apply to:

  • Third-party forks or modifications
  • User-configured API endpoints
  • Third-party AI services

Contact

For security concerns, please contact:

For general questions, please use GitHub Issues or Discussions.


Last Updated: June 28, 2026

There aren't any published security advisories