We take the security of Late-Meet very seriously. If you believe you have found a security vulnerability in this project, please report it to us responsibly using the guidelines below.
We actively provide security patches for the following versions of Late-Meet:
| Version | Supported |
|---|---|
| 1.2.x | Yes |
| < 1.2.0 | No |
Please do not open public GitHub issues for security vulnerabilities, as this could expose users to potential risks before a patch is available. Instead, please report vulnerabilities via one of the following secure channels:
- GitHub Private Vulnerability Reporting: Go to the Security tab of this repository on GitHub, click Vulnerability reporting, and submit a private report.
- Email: Send an email describing the vulnerability to the project maintainers.
- Contact Email:
chakrabortyshouri@gmail.com
- Contact Email:
- A detailed description of the vulnerability and the potential impact.
- Step-by-step instructions to reproduce the issue (including proof-of-concept scripts or screenshots if applicable).
- Details of your testing environment (e.g. Chrome browser version, OS version).
We follow a Coordinated Vulnerability Disclosure (CVD) process:
- Initial Response: We will acknowledge receipt of your report within 48 hours and provide an initial assessment.
- Resolution: We aim to resolve and release a patch for all verified high-severity vulnerabilities within 30 days of receipt.
- Public Disclosure: Once a fix is released, we will coordinate public disclosure of the vulnerability with you, giving you full credit for the discovery unless you choose to remain anonymous.
Thank you for helping keep Late-Meet secure!
- Never commit API keys to the repository
- API keys should be stored in
chrome.storage.localonly - Rotate any accidentally exposed API keys immediately
- Keys should be treated like passwords — never share them
| Threat | Mitigation |
|---|---|
| XSS in extension pages | Strict CSP in manifest.json |
| API key theft | Encrypted storage, local-only sync |
| Malicious website access | Declare minimal permissions in manifest |
| Storage corruption | Schema validation on load |
| MITM transcript interception | HTTPS-only API endpoints |
The extension should request minimal permissions:
- Only
activeTabwhen possible instead of broadtabs - Avoid
<all_urls>host permissions - Use
scriptingAPI with specific URL patterns
For Chrome extension-specific vulnerabilities:
- Report privately via GitHub Security Advisories
- Include the Chrome version and extension version
- Describe if the vulnerability requires user interaction
- Note whether the exploit requires a malicious website