Security
Our commitment to transparent, responsible security.
How we handle vulnerabilities, what our security posture looks like, and what to expect when you report an issue to us.
Security Architecture
Phixo is designed with a minimal-trust, minimal-footprint architecture:
- No email storage. Email content is sent to our API, analyzed, and discarded in-memory. Nothing is written to disk or stored in a database.
- Minimum permissions. The extension requests only the permissions required to read email content in supported webmail clients. No broad host permissions are requested.
- Encrypted transit. All communication between the extension and our API uses TLS 1.2 or higher. Self-signed certificates are not accepted.
- No third-party scripts. The extension does not load any external JavaScript at runtime. All code is bundled and reviewed before release.
- Content Security Policy. Strict CSP headers are enforced on all backend endpoints.
- Rate limiting. All API endpoints are rate-limited to prevent abuse and enumeration attacks.
Responsible Disclosure Policy
We support the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue in Phixo, we ask that you:
- Report the issue to us before disclosing it publicly.
- Give us reasonable time (we commit to 90 days) to investigate and remediate.
- Avoid accessing, modifying, or deleting user data during research.
- Do not perform denial-of-service testing against our production systems.
In return, we commit to:
- Acknowledge your report within 24 hours.
- Provide a substantive response within 72 hours.
- Keep you informed of remediation progress.
- Credit you in our security acknowledgements (if you wish).
- Not pursue legal action against good-faith researchers.
Scope
In scope: Phixo Chrome extension, phixo.io and subdomains, backend API endpoints (api.phixo.io).
Out of scope: Third-party services we use (Stripe, Railway, Groq), social engineering attacks against Phixo employees, physical attacks, volumetric denial-of-service.
Security Acknowledgements
We thank the following researchers for responsibly disclosing security issues to us. This list will be updated as issues are reported and resolved.
No acknowledged researchers yet — be the first.
Report a Vulnerability
Use our secure vulnerability report form or email security@phixo.io. For sensitive reports, you may request our PGP public key.