What is Mellowtel?
Mellowtel is a privacy‑focused monetization engine for developers in the AI world to keep software and the internet free.
AI is here to stay and will most probably be the defining technology of our lifetime. To be genuinely useful, AI needs live access to the web—think ChatGPT Search, Perplexity, Grok Deep Research, agentic e‑commerce, and all the automation workflows. These patterns aren't going anywhere. If anything, the market (projected around $200B–$3T) is accelerating and growing.
Meanwhile, developers need sustainable income. Some have high‑paying roles; many do not and are building products to support themselves and their families. Traditional ads are declining—AI answers reduce pageviews, and ad‑blocking is mainstream.
Mellowtel bridges these realities. We give AI companies the ability to access public web data (for web scraping, building AI agents and AI automations) and share 55% of that revenue with developers.
We are growing fast and onboarding some of the best AI startups and scaleups in San Francisco and New York backed by Tier-1 VCs. But what we are even more excited about is being able to share this revenue with developers and help keep software and the internet free.
Addressing the recent press storm
Sensational titles and eliciting strong emotions in people grab attention. YouTubers and bloggers are more interested in getting views and clicks than in the truth. It's the unfortunate reality of the world we live in. That's what ad money makes people do.
The recent wave of negative coverage began with an article published by John Tucker.
Mr. Tucker appears to be associated with Secure Annex, a service that scrapes daily a massive amount of extensions across multiple platforms to monitor them. We respect the need for security oversight in the ecosystem, but we believe accuracy, intellectual honesty and truth-seeking should be the foundation of any security analysis.
We believe the service they are providing is very useful, also to us, and they have good intentions. To his credit, he was more analytical than the rest of the articles and videos that came later. But the article contains nonetheless false claims and implies things that are demonstrably false.
We have previously addressed the inaccuracies in these claims through a blog post published in July, providing factual corrections and technical clarifications. We will dive deeper on some technical aspects in this blog and the measures we are taking.
We hope all the authors will take the time to correct their false and defamatory claims.
Legal Notice Regarding Defamatory Content:
Our legal team is currently documenting false and defamatory articles, videos and statements made about Mellowtel and Olostep that contain demonstrably incorrect claims about our technology and business practices. Under established defamation law, including precedents set in New York Times Co. v. Sullivan (376 U.S. 254) and Gertz v. Robert Welch, Inc. (418 U.S. 323), publishers of false statements that damage business reputation may be held liable for:
- Commercial disparagement under state business tort laws
- Trade libel for false statements about business practices
- Defamation per se for statements that harm business reputation without requiring proof of specific damages
Additionally, under 28 U.S.C. § 4101, defamation encompasses false communications that cause reputational harm. We are working with our legal counsel to evaluate all available remedies under both federal and state law, including potential claims for injunctive relief and monetary damages.
We remain committed to addressing legitimate concerns through factual dialogue and building great products rather than litigation, but we will not hesitate to protect our rights.
Addressing Privacy Concerns
Mellowtel does not collect user data or on which websites they are browsing. Mellowtel opens a lightweight, invisible, sessionless environment (like an incognito tab) for a few seconds to retrieve public web data for paying AI companies. Developers receive a share of the revenue these companies pay.
To help offer our service and prevent abuse and malicious activity, Mellowtel briefly collects the user's IP address. This is used solely to:
- Infer geographic region (country level)
- Detect and mitigate abuse from repeated access patterns
- Implement rate-limiting protections
The IP address is hashed and is not used to track or identify individuals. This process is designed to be compliant with the General Data Protection Regulation (GDPR) as the data is neither used nor stored in a way that allows personal identification - and is only accessed after explicit user-consent. We also check available bandwidth so we don't send tasks to low‑bandwidth or mobile connections.
Mellowtel is trying to be an alternative to ads. Ads companies track and exploit your every move online — collecting, profiling, and selling your personal data to the highest bidder. Mellowtel instead doesn't collect or sell users' personal data.
Addressing Security Concerns
The article by John Tuckner mentioned a security vulnerability regarding the removal of security headers.
In order to properly load websites, Mellowtel needs to remove certain headers (x-frame-options, content-security-policy, cross-origin-embedder-policy, cross-origin-opener-policy, cross-origin-resource-policy, content-security-policy-report-only) from the sub_frame level. This, according to the author, would make users' "actual web browsing [...] more vulnerable."
The key detail overlooked by Mr. Tucker is that these header modifications apply only to sub-frames (iframes), not the main browsing context. As shown in the code that anyone can view on GitHub:
condition: {
resourceTypes: ["sub_frame"], // Only affects iframes
urlFilter: "*://*/*"
}
This means:
- The main page and its security remain completely intact
- Only content loaded within iframes has these headers temporarily removed
- The user's primary browsing experience maintains all standard protections
The actual attack surface is significantly smaller than what the author is implying. The risk is primarily theoretical and would require a sophisticated attack specifically targeting the iframe (sub_frame) context during the brief window when headers are removed and before they are restored (around 30 seconds). Moreover, given that only vetted clients can access Mellowtel infrastructure, it's almost impossible to time the attack during this vulnerability window.
But let's play devil's advocate and see what could potentially go awry. Here's what could theoretically happen:
- Clickjacking within iframes: Malicious sites could potentially embed protected content in nested iframes
- CSP protections lifted: Some CSP protections around resource loading within iframes are temporarily bypassed
- Cross-origin restrictions: Temporarily relaxed isolation between iframe content and its embedder
Clickjacking within iframes The idea behind clickjacking is invisibly embedding protected sites (banks, social media) and leading users to unknowingly interact with hidden legitimate interfaces. For an attacker to successfully exploit a Mellowtel user, they would have to make the user visit their website during the 5-15 seconds header removal period and succeed in making the user perform actions on their overlay.
CSP protections lifted Content Security Policy normally prevents web-pages from loading scripts from unauthorized domains or executing inline JavaScript. With CSP temporarily removed from sub-frames, a malicious website could theoretically load additional scripts within iframes that would normally be blocked.
However, this provides virtually no advantage to an attacker. If a user visits a malicious website, that site can already run any malicious code they want directly on the main page without any restrictions. The attacker doesn't need to bypass CSP in a sub-frame when they have full control over the main browsing context.
The only theoretical scenario would be if an attacker wanted to embed and interact with a third-party site's content within an iframe - but this would still be limited by same-origin policy and other browser protections. An unlikely case where an attack could be successful is if a site that the attackers wanted to exploit were vulnerable to XSS (cross-site-scripting) attacks by not sanitizing inputs and making use of eval functions.
Cross-origin restrictions
Regarding the removal of cross-origin headers (cross-origin-embedder-policy, cross-origin-opener-policy, cross-origin-resource-policy), browser-level security would still prevent any malicious website from attempting to load another website and accessing its content (the same-origin policy still applies).
In summary, all of these "vulnerabilities" remain in effect for a small window of 5-15 seconds and require users visiting malicious websites during that time period and the attacked websites not sanitizing their inputs—this makes them highly unlikely to begin with.
Still, we think we can do better. We recently added a commit where we only remove these headers from the URL which is currently requested and not all URLs. This makes the possibility of a successful exploit so small it's statistically not significant.
We are also implementing another measure which will make the probability of an attack drop to mathematically 0. The general overall idea is utilizing a tabID level filter to remove these headers only on the sub_frame level of a specific tab.
Bug-bounty program
We are announcing a Mellowtel bug bounty program.
If you believe you have found a security vulnerability we encourage you to let us know right away in private on info@mellowtel.com or reach out to us privately on Discord. We will pay you for helping us make the platform safer.
More on the program in this page: https://www.mellowtel.com/bug-bounty
Addressing Malware concerns and browser policies
Some plugins importing Mellowtel were removed for malware due to not asking explicit consent from users. Mellowtel is not malware, but any plugin that integrates Mellowtel and bypasses explicit user consent is malware. We agree with web‑store review teams, and we are also taking measures to ensure stricter reviews on our end and a better system to enforce user consent. We have always emphasized the need to inform users and let them change their settings at any time. The core idea is that since it's their idle bandwidth, users should decide if they want to share it or not to support the developer. As a platform, we need to do more and are taking steps in this direction, starting from a default quarantine system for all integrations. More on this in the "User Consent" paragraph below.
On Firefox, instead, the removals stemmed from the lack of support of the credentialless iframe in Firefox. Users on Firefox were sent credentialless fetch requests from the server side, but we understand the review team's concern: non‑credentialless iframes can inadvertently expose users' cookies and personal browsing.
Still, we did have some safeguards even client-side for Firefox. Since third-party cookies are disabled by default on Firefox, we checked if the origins of the iframe and the main frame were different, but it isn't a perfect system because users can change these default settings.
We are working on releasing a Mellowtel Lite version compatible with Firefox in the coming weeks.
Is Mellowtel compliant with browser policies?
The answer is yes, if the integration is compliant and respects user choice and settings.
The official Mellowtel plugins are available on Chrome and Edge. Soon we will submit them to also other major browsers.
Chrome: https://chromewebstore.google.com/detail/support-with-mellowtel/jngbedjpioeongcicaomeideeompcbcc
On Chrome, some developers may encounter issues during the review with the single purpose policy, which states that a plugin can only have one clearly stated functionality (but is often interpreted inconsistently across multi‑feature extensions). In those cases, we recommend developers share their personal link and ask users to install the official Mellowtel Chrome plugin that has the single purpose of allowing developers to earn thanks to users that want to support them by sharing their idle resources. Developers can create their link from the Mellowtel dashboard and redirect users to the official Mellowtel Chrome plugin.
If, instead, you have a plugin on Chrome that operates in the AI bandwidth sharing space and that is the single purpose of the plugin, you can integrate Mellowtel directly in your plugin.
Instead, Edge, Firefox, or Safari don't have this policy, so developers can also integrate the library directly in their products and make sure they ask their users if they want to support them or not and always leave them an easy way of changing their settings at any time from the plugin itself.
At the time being, we recommend integrating Mellowtel in Edge plugins since we are still working on optimizing the Firefox and Safari version of the library.
User Consent
End users must always be informed, consenting, and in control: explicit opt‑in, easy opt‑out, and a visible settings link at all times. All in the plugin itself and not just on a website. The core idea is that since it's their resources, users should decide if they want to share them or not to support a developer.
We made pre-built pages that developers can use to ask for users' permission and leave them a settings page where they can manage their settings at any time. For developers wanting custom solutions, we exposed methods that they can call to manage users' consent.
We also left this page, independent from any single developer, where users can see which plugin is using Mellowtel and manage their settings independently: https://www.mellow.tel/user-control
But we recognize we need to do more, especially to curb developers not following these guidelines. This also affects our reputation since most of these plugins were removed for malware and many people started writing defamatory articles on Mellowtel. Mellowtel is not malware, but any Mellowtel integration that bypasses explicit consent is malware.
We are taking steps to restrain these behaviors and guarantee a safer ecosystem.
Quarantine and Review system
When developers integrate and publish their plugins, we will first monitor each integration to see if it is requesting an informed opt-in and providing an opt-out setting before approving it to receive requests. We will also do periodic reviews to ensure the enforcement of end users' consent.
Developers that don't comply will stop receiving requests, their payments will be withheld, and they will be reported to the browser review team.
Enforcing opt-in
So far, developers could have asked for users' consent either with our hosted page (https://www.mellowtel.com/opt-in?debug_mode=true) or by calling the opt-in and opt-out methods in the library by using their custom UI elements.
But there is a risk that even if developers show these elements, they could opt-in users automatically through JS by clicking on their behalf on the "Agree and Continue" button. This is malware, and we are working to combat this. The quarantine/review system will catch these violations.
Additionally, we are also making native elements in the library that can't be controlled through JS and need an action from end users.
Native settings UI
Instead of asking developers to just link to our hosted settings page (https://www.mellowtel.com/settings?debug_mode=true), we are building elements natively in the library so that users can change their settings of opt-in and opt-out at any time from the popup.
Should We Stay Open-Source?
Due to instances of developers forking Mellowtel and using it without asking user consent, we are considering removing the open-source version of our software. While our goal with open-source was to build a trusted ecosystem, we've found that this trust has come at the expense of security and has led to defamatory articles about Mellowtel that undermine trust.
We are thinking about not keeping it open source and instead undergoing regular security audits from third parties. We are still evaluating this decision internally and welcome your feedback on this.
Support with Mellowtel
Support with Mellowtel is our official extension that connects developers with their supporters. Developers share personal referral links with their community, and users who install through these links help generate earnings for their favorite creators. In return, developers can offer exclusive features to their supporters.
It's available for Chrome and Edge.
We recommend it especially for developers on Chrome if they are having issues with the single purpose policy.
On Edge, instead, it's better to do the native integration.
AI Agent for Integrations
In the coming days, we’ll launch an AI agent in our backend that automates the Mellowtel setup for your extension. Developers will simply need to upload their extension’s ZIP in the Mellowtel dashboard. The agent will add the library, configure the consent flow, run basic validations and tests, and return a ready‑to‑ship integration.
Extension Launcher: Coming Soon
We’re working on an extension launcher that’s compatible with any browser and will allow developers to turn their extensions into agentic apps.
Benefits for developers are:
- Maintain one codebase that works on any browser (Chrome, Safari, Firefox, Edge, etc.)
- Pre-built monetization with 2-5X higher payouts
- 100K USD Developers Fund to support developers create great products
- Turn browser plugins into agentic apps using pre-built APIs
- Rewards users that support you with exclusive features
If you are interested in learning more, reach out to at info@mellowtel.com or discord for early access.
Final Thoughts
We’re excited about where Mellowtel is headed and remain committed to a transparent, user‑respecting ecosystem.
We are building a platform similar to Airbnb or Uber: trust and consent are the product. When you are putting people to live in other people's houses or taking a ride with complete strangers or asking users to support developers by sharing their resources, you need to ensure a safe and trusted ecosystem that demands safety by design, is based on free choice, and complete control.
Our goal is to be the AI‑era solution that keeps software and the open internet free: developers earn from their products; supporters enjoy high‑quality services at no cost.
There is still a lot to build: stricter reviews and audits, stronger safeguards, clearer UX for managing user consent, and better tools for developers and users alike.
No product or service is perfect, and we recognize that there is valid criticism of the platform. On our end, we have a lot to improve and are grateful to everyone who shares feedback to improve the product and service. You can write to us anytime at info@mellowtel.com, and we will do our best to address concerns and make the platform better.
Some will like what we do; others won't. Some will join us in building; others will stand aside and criticize. We might succeed, or we might not. But we will do our best to create something meaningful. We will keep learning, improving, and building a better internet for the AI world where users have full control and developers thrive to keep software and the internet free.
It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.