If you discover a security vulnerability in this package, please do not open a public GitHub issue.

Instead, email security@axumquant.com with:

1. A description of the vulnerability
2. Steps to reproduce
3. The affected version(s)
4. Any potential impact you've identified

We aim to acknowledge reports within 72 hours and to ship a fix or mitigation within 14 days for high-severity issues.

This package intercepts browser network traffic and applies PII redaction. Security-relevant areas:

• PII redaction patterns — defaults cover SSN, email, phone, MBI. Missing patterns that should be in the default set are security-relevant.
• Sensitive header allow/deny logic — bugs that leak Authorization, Cookie, or auth tokens to forwarded events.
• Memory exhaustion — the library buffers pending request metadata. A malicious page that opens many unique requestIds could exhaust memory; current cap is MAX_PENDING_REQUESTS.
• Debugger session hijack — incorrect cleanup of chrome.debugger.attach sessions on extension reload.

Out of scope:

• Issues in chrome.debugger.* itself (report to Chromium)
• Issues in dependent extensions that misuse this library's API