Security principles
- No email content or provider token is sent to or stored on 10Alert servers.
- Official OAuth and provider APIs are preferred over passwords.
- Accounts and authorizations are isolated per provider and account.
- Permissions follow explicit user action.
- The Manifest V3 extension loads no remotely executable JavaScript.
Authorization protection
Desktop flows use Authorization Code with PKCE S256, random state and a dynamic 127.0.0.1 loopback callback. Additional Gmail tokens and IMAP credentials are encrypted using Windows DPAPI or AES-GCM with a user-only local key on macOS/Linux.
Content protection
The interface renders controlled text and does not directly inject raw email HTML. Remote images are disabled by default to reduce tracking pixels. Attachments are not downloaded automatically.
Public website
This landing page is a fully static Astro build on Cloudflare Pages. It has no authentication, database, form, analytics or endpoint receiving extension data.
Distribution
Public distribution is prepared for the Chrome Web Store and separate companion packages. Binary signing and artifact verification remain release gates; an unsigned build is not represented as the final public release.
Responsible disclosure
Use the contact address listed in Terms of Use with subject “10Alert Mail security report”. Include reproduction steps and impact, but never include real messages, passwords, tokens or personal data. Test only systems you are authorized to test.
Accurate limitations
No product can guarantee absolute security. Account security also depends on Chrome, the operating system, the email provider and user practices. Keep software updated and enable multi-factor authentication.