Security Policy
Supported Versions
Currently, we support the latest version of Yo WebP extension.
| Version | Supported |
|---|---|
| 0.1.x | :white_check_mark: |
Security Features
The Yo WebP extension implements several security measures:
1. Input Validation
- File Extension Whitelist: Only accepts PNG, JPG, JPEG, GIF, BMP, and TIFF files
- Path Validation: Prevents directory traversal attacks by validating file paths
- File Existence Checks: Verifies files exist before processing
2. No Arbitrary Code Execution
- The extension does not execute user-provided code
- All file processing is done through the pre-compiled Rust binary
- No dynamic code evaluation or shell command injection
3. Local Processing
- All image conversions happen locally on your machine
- No data is sent to external servers
- No telemetry or user data collection
4. Minimal Dependencies
- Limited number of dependencies to reduce attack surface
- Regular dependency updates (see Dependabot)
- Only trusted, well-maintained libraries
5. Sandboxed Execution
- Rust backend runs as a separate process
- Limited file system access (only to specified input/output files)
- No network access required
Reporting a Vulnerability
We take security issues seriously. If you discover a security vulnerability, please follow these steps:
Do NOT:
- Open a public GitHub issue for security vulnerabilities
- Discuss the vulnerability publicly until it has been addressed
DO:
-
Email the maintainer at: yo.licenses@gmail.com
- Subject: [SECURITY] Brief description
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
Wait for acknowledgment - We will respond within 48 hours
-
Allow time for a fix - We aim to release patches within 7 days for critical issues
-
Coordinated disclosure - We will coordinate with you on the disclosure timeline
Security Best Practices for Users
When using the Yo WebP extension:
-
Download from trusted sources
- Only install from the official VSCode Marketplace or GitHub releases
- Verify the publisher name:
yo.licenses
-
Keep the extension updated
- Enable automatic updates in VSCode
- Check for updates regularly
-
Review file permissions
- The extension only needs read access to source images
- The extension only needs write access to create output WebP files
-
Be cautious with sensitive images
- While the extension processes locally, always be mindful of what you're converting
- No data leaves your machine, but converted files are saved to disk
Security Audit History
| Date | Type | Findings | Status |
|---|---|---|---|
| 2024-12 | Initial Release | N/A | Initial security measures implemented |
Security Updates
Security updates will be released as patch versions (e.g., 0.1.1, 0.1.2) and announced in:
- GitHub Security Advisories
- Release notes
- CHANGELOG.md
Known Security Considerations
File System Access
The extension requires:
- Read access to the source image file
- Write access to the output directory
These are necessary for the core functionality and cannot be avoided.
Binary Execution
The extension executes a pre-compiled Rust binary (yo_webp_converter). This binary:
- Is included in the extension package
- Has been built from source code in this repository
- Can be verified by building from source yourself (see INSTALL.md)
Compliance
This extension:
- Does not collect personal data
- Does not require internet access
- Does not contain telemetry
- Operates entirely offline
Contact
For security concerns, contact:
- Website: Yo-Licenses
- Security Email: yo.licenses@gmail.com
Last updated: December 2024