| Version | Supported |
|---|---|
| latest | ✅ |
If you discover a security vulnerability in CloakResume, please do not open a public GitHub issue.
Instead, report it privately via GitHub Security Advisories.
You can expect:
- Acknowledgement within 48 hours
- Status update within 7 days
- Credit in the advisory once the fix is released (if desired)
CloakResume is a client-side only application — all resume editing, rendering, ATS scoring, and PDF export happen in your browser. No resume data is transmitted to any server. The attack surface is limited to:
- Third-party npm dependencies (monitored via automated CI security audits and Dependabot)
- Browser sandbox escape (out of scope — report to the browser vendor)
Known dependency vulnerabilities are tracked automatically via:
- GitHub Dependabot — daily checks against the GitHub Advisory Database
- OSV-Scanner — weekly CI workflow against the Open Source Vulnerabilities database
If you spot one that has not been addressed, please follow the disclosure process above.
- Content Security Policy — declared via
<meta http-equiv="Content-Security-Policy">inindex.html.connect-srcis restricted to the application origin, making it physically impossible for the page to upload user resume content elsewhere.script-srcdisallows remote scripts,object-srcis'none', andform-actionis pinned to'self'. - Subresource integrity — all first-party JavaScript is bundled and served from the same origin under hashed filenames.
- Local-only persistence — resume drafts are saved to
localStorageon the user's device; nothing is sent over the wire. - No tracking or analytics — the page makes no third-party network requests at runtime.
Last reviewed: 2026-04-20.