moula · Security
Security posture
An ad tool that lives inside your editor has to earn a very high bar of trust. Here is how moula is built, and how to tell us if we got something wrong.
How the client is built
- No file patching.moula renders only its own status bar item through public VS Code APIs. It never writes to, patches, or reads another application's files on disk. Uninstalling leaves your editor byte-for-byte identical.
- No CSP modification.moula does not alter your editor's Content-Security-Policy or any other host setting to inject content.
- No unsigned auto-update. moula does not silently update itself in the background or fetch executable code at runtime. You update it through the extension marketplace, like any other extension.
- Keys in SecretStorage.Your API key is held in VS Code's SecretStorage — the operating system's secure credential store — never in plaintext settings or a config file.
- HTTPS-only, machine-scoped endpoint. The API base URL is machine-scoped configuration, and production traffic is HTTPS only.
How the marketplace is protected
- HMAC-signed click URLs. Every click-through URL carries an HMAC signature over its impression id, verified with a constant-time comparison. Impression ids cannot be guessed or incremented to forge clicks or inflate click-through rate.
- Server-authoritative billing. Impressions and clicks are recorded and charged on our servers, never trusted from the client. Awards run inside atomic, security-definer database functions that de-duplicate retries, enforce a minimum interval between impressions, cap spend at the campaign budget, and credit each click exactly once.
- Hashed credentials. API keys are stored only as a SHA-256 hash; the raw key is shown to you once at creation and then is unrecoverable. A database leak yields no usable credentials.
- Row-level security.Every table enforces row-level security so one account can never read another account's impressions, clicks, keys, or campaigns.
Responsible disclosure
If you find a security issue, please report it privately and give us a chance to fix it before disclosing publicly. We commit to:
- Acknowledge your report within 72 hours of receipt.
- Keep you updated as we investigate, and credit you if you would like to be credited.
- Not pursue or support legal action against good-faith research that respects user privacy, avoids service disruption, and does not access or modify data beyond what is needed to demonstrate the issue.
Security contact: security@moula.dev. Machine-readable details, including our signing and preferred languages, are published at /.well-known/security.txt.
Related: what we collect and your right to inspect and uninstall.