Scoring is a complex problem and there's some literature on the subject. We can break down scoring / threat intelligence into a few buckets:

- Known bad actors: some extensions are known bad actors. They've exposed data and even made the news for it. Let's make sure those are absolutely not running in your environment.

- Heuristic classification: a number of heuristics can be used to score the threat of an extension, for example, the permissions it requests, its content security policy, etc...

- Automated code review: even if an extension developer is not themselves intentionally malicious, the extension may be using outdated or vulnerable libraries that can be exploited by others.

- Manual review: there are over 200k extensions so an extensive manual review of each is not practical. Still, for the most popular extensions, a manual review can effectively score the extension based on factors that are difficult to automate. For example, review of the privacy policy, investigation of the owner entity and its business practices, etc...

- Corroboration / triangulation: a category of threat detection that Extension Monitor will be able to provide at scale is that of cross-referencing installations with purchased data to single out likely sources.

These may also apply to a single extension across versions / time.

Regarding counter-measures, Extension Monitor is read-only at this time, so remedying the threat is environment specific. Some fleet management solutions may provide this. Other self-managed machines would require the machines administrator to remove the extension. Some teams that already allowlist or blocklist extensions would find the threat scores useful in their own manual investigations of which extensions to allow or block.

Hope this helps,

Will (still a real human... and not a Matt)