BrowserTrace records browser-agent traces locally. Traces may contain screenshots, URLs, prompts, model outputs, selectors, and other debugging metadata. Treat trace exports as potentially sensitive.

If you find a security issue, please do not open a public issue with exploit details or sensitive traces.

Use a private GitHub vulnerability report from the repository Security tab if that option is available. If private reporting is unavailable, open a minimal public issue without exploit details, secrets, private URLs, screenshots, prompts, model output, or customer data, and ask the maintainer to establish a private follow-up path.

Include:

• A short description of the issue.
• Reproduction steps.
• Impacted BrowserTrace version.
• Whether the issue can expose local files, screenshots, prompts, model output, API keys, or trace exports.

• BrowserTrace stores data locally by default under ~/.browsertrace/ or BROWSERTRACE_HOME.
• HTML exports inline screenshots and model output. Review exports before sharing them publicly.
• Use browsertrace export <run_id> --public -o public.html before public sharing to omit prompt/model I/O, screenshots, and URLs.
• Do not attach trace exports containing secrets, customer data, private URLs, cookies, tokens, or proprietary prompts to public issues.