If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Email the maintainer or use GitHub Security Advisories
3. Include steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

This extension runs only on github.com pages and:

• Does not collect or transmit user data
• Stores settings locally via chrome.storage.sync
• Does not make external network requests (except GIF Picker using Giphy API)
• Uses Content Security Policy compliant approaches

• Acknowledgment within 48 hours
• Fix timeline communicated within 7 days
• Credit given in release notes (unless anonymity requested)