diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e252cac..fa9182e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,8 @@ permissions:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -42,6 +44,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
diff --git a/src/privacy.js b/src/privacy.js
index 6ade38d..92f25a6 100644
--- a/src/privacy.js
+++ b/src/privacy.js
@@ -213,10 +213,10 @@ function sanitizeText(text) {
     ? text.slice(0, MAX_TEXT_LENGTH)
     : text;
 
-  // Email addresses - use possessive-like matching to prevent backtracking
-  // Pattern: local part (alphanumeric, limited special chars) @ domain
+  // Email addresses - use simple linear pattern to prevent ReDoS
+  // Matches word characters/dots/hyphens before @, then domain
   sanitized = sanitized.replace(
-    /[a-zA-Z0-9](?:[a-zA-Z0-9._-]{0,62}[a-zA-Z0-9])?@[a-zA-Z0-9](?:[a-zA-Z0-9.-]{0,252}[a-zA-Z0-9])?\.[a-zA-Z]{2,63}/g,
+    /[\w.-]+@[\w.-]+\.[a-zA-Z]{2,}/g,
     '[email]'
   );