π‘οΈ Security
Keeping Visual Inbox secure through transparency, responsible disclosure, and privacy-by-design.
β
Our Security Commitment
Visual Inbox is built on a privacy-first, security-first foundation. All data processing happens locally in your browser. Your emails, calendar events, and Slack messages never touch our servers. This architecture eliminates entire classes of security risks.
Security Principles
π
Zero Server-Side Data
Your communication data is processed entirely in your browser. We never see it.
π
OAuth 2.0 (Implicit Flow)
Secure authentication with state parameter for CSRF protection. Appropriate for client-side apps.
π‘οΈ
Minimal Permissions
We request only metadata-only or read-only scopes. No access to message content.
π
Input Validation
All user inputs are sanitized. Protected against XSS, injection, and file upload attacks.
π
HTTPS Everywhere
All connections use TLS 1.2+. HSTS enforced with preload directive.
π
Regular Audits
Continuous security reviews, dependency updates, and vulnerability scanning.
π User Security Guide
How to Protect Your Data
- Use a secure device: Only connect Visual Inbox from devices you trust and control.
- Keep your browser updated: Use the latest version of Chrome, Firefox, Safari, or Edge.
- Clear local data when done: Use the "Delete Data" button to remove all locally stored information.
- Review permissions: Check what data Visual Inbox can access in your Google Account settings.
- Revoke access when finished: Visit Google Account Permissions to revoke access anytime.
What Permissions We Request
Gmail: https://www.googleapis.com/auth/gmail.metadata
- β
Allows: Reading email headers (From, To, Cc, Date)
- β Does NOT allow: Reading email bodies or attachments
Google Calendar: https://www.googleapis.com/auth/calendar.readonly
- β
Allows: Reading calendar events (times, attendees, titles)
- β Does NOT allow: Creating, modifying, or deleting events
Slack: No OAuth required
- β
Manual ZIP upload only - you control what data is analyzed
- β
Files are processed locally - never uploaded to our servers
How to Revoke Access
You can revoke Visual Inbox's access to your Google account at any time:
- Visit Google Account Permissions
- Find "Visual Inbox" in the list
- Click "Remove Access"
Or use the "Logout" button in the app, which also revokes the OAuth token.
π Vulnerability Disclosure Policy
π Responsible Disclosure
We appreciate security researchers who help keep Visual Inbox secure. If you discover a security vulnerability, please report it responsibly.
How to Report a Security Issue
- Email us: Send details to hello@visualinbox.net
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional, for follow-up)
- Allow time for response: We aim to respond within 48-72 hours
- Coordinate disclosure: Please allow reasonable time for us to fix the issue before public disclosure
What to Expect
- Acknowledgment: We'll confirm receipt of your report within 72 hours
- Assessment: We'll investigate and assess the severity
- Timeline: We'll provide an expected fix timeline
- Updates: We'll keep you informed of progress
- Recognition: With your permission, we'll credit you in our security acknowledgments
Out of Scope
The following are not considered security vulnerabilities:
- Issues requiring physical access to the user's device
- Social engineering attacks
- Denial of service (DoS) attacks
- Issues in third-party services (Google, Slack)
- Reports from automated scanners without proof of exploitability
π Security Acknowledgments
We thank the following security researchers for responsibly disclosing vulnerabilities:
No vulnerabilities have been reported yet. Be the first to help secure Visual Inbox!
π Security Contact
π Technical Security Details
For technical details about our security implementation, including:
- OAuth 2.0 Token Model (Implicit Flow) with state parameter
- Content Security Policy (CSP) configuration
- Subresource Integrity (SRI) hashes on all external scripts
- Input validation and XSS protection (escapeHtml on all user data)
- Security headers (HSTS with preload, X-Frame-Options, CSP, etc.)
- Incident response procedures
Please see our detailed SECURITY.md documentation or contact us for more information.
β οΈ Important Note
Visual Inbox is designed for personal use only. Do not use it with accounts containing highly sensitive information (e.g., classified data, medical records, legal privileged communications) unless you fully understand the security implications and have appropriate authorization.