Micro-SaaS Vetting

1. Vet the Developer like a Vendor

If you wouldn't give a random supplier access to your customer records, don't give a random extension access to your browser.

• Check: Does the developer have a professional website and a clear track record?
• Source: Only use official stores (Chrome Web Store, Microsoft Edge Add-ons) rather than manual downloads.

2. Treat the description as a contract

The store listing should be a mini-disclosure. It must clearly explain what the tool does and exactly why it needs specific data. Look out for any mention of "analytics" or "data sharing" that doesn't match the core feature.

3. The permission sanity check

This is the most critical step. Microsoft and Google both state that extensions must only request permissions essential for their function.

• Red Flag: Does a simple "dark mode" tool really need to "read and change all your data on all websites"? If the permission doesn't match the feature, don't install it.

4. Monitor "permission creep"

Extensions update automatically. If an add-on suddenly requests new, broader permissions, treat it with suspicion. It is often safer to uninstall the tool than to grant unexplained access.

5. Decide: approve, avoid, or escalate

• Approve: Credible vendor, clear purpose, and tight permissions.
• Avoid: Vague descriptions or "just in case" access requests.
• Escalate: If a tool is genuinely useful but requires broad access to sensitive systems, have IT review it and add it to a formal "allowlist".