ComplyEaze Pack handles sensitive compliance workflows. Report vulnerabilities privately; do not open a public issue for security findings.
| Version | Supported |
|---|---|
Current source alpha (0.1.x) |
Security reports and best-effort fixes |
| Chrome Web Store release | Not applicable; none published yet |
| Previous release | Not applicable until first public release |
| Development/nightly builds | No production support |
| Third-party forks | Not supported by ComplyEaze |
Email security@complyeaze.com with the subject ComplyEaze Pack security report.
Do not include real GST Portal credentials, OTPs, CAPTCHA responses, session cookies, taxpayer files, portal HTML, raw network captures, or unredacted screenshots.
Include:
- affected version;
- browser and operating system;
- reproduction steps using synthetic data;
- impact;
- suggested remediation, if known;
- whether you believe users are actively at risk.
- Critical report acknowledgement: within 4 hours during monitored periods.
- High report acknowledgement: within 1 business day.
- Initial severity assessment: within 2 business days.
- Remediation timeline: communicated after triage.
These are targets, not contractual service-level commitments.
ComplyEaze Pack V0 must not:
- collect GST Portal credentials, OTPs, CAPTCHA responses, cookies, or tokens;
- upload GST files in the local-download workflow;
- store GSTIN/PAN, taxpayer names, portal HTML, raw network captures, or downloaded PDFs in extension storage;
- load remote executable code;
- access unrelated websites;
- include hidden analytics, ads, or session replay.
A report showing any of these in the official build should be treated as high or critical severity.
Please allow reasonable time for investigation, release review, and user updates. If a Chrome Web Store build exists in the future, Chrome review may also affect timing. We will credit reporters who request credit unless law, safety, or privacy prevents it.
Subject to counsel approval, ComplyEaze intends not to pursue good-faith security research that follows this policy, avoids privacy harm and service disruption, uses test or synthetic data, does not access another person's account, reports findings promptly and privately, and gives reasonable time to fix.
This does not authorise testing against GSTN or any third-party portal beyond what their terms and applicable law permit.