| Version | Supported |
|---|---|
| 1.x | ✅ |
UnZip Web processes all files entirely in the browser. No data is ever sent to external servers.
- All ZIP extraction is performed client-side using JSZip
- Files exist only in browser memory during the session
- Closing the tab permanently destroys all processed data
- No cookies, tracking, or analytics are collected
If you discover a security vulnerability, please report it responsibly:
- Do NOT create a public GitHub issue
- Email: rajk4435689@gmail.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Release: Within 30 days for critical issues
The following are in scope:
- XSS vulnerabilities in file handling
- Malicious ZIP files causing client-side issues (zip bombs, path traversal)
- Dependencies with known vulnerabilities
- Information leakage
The following are out of scope:
- Social engineering
- Denial of service on client browsers (intentional large file upload)
- Issues requiring physical access to the device
This project follows these security practices:
- Dependabot automated dependency updates
- No server-side file processing
- Content Security Policy recommendations in deployment
- Subresource Integrity for CDN assets
- Regular dependency audits