Skip to content

Security: ocpp-debugkit/website

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in the OCPP DebugKit website, please report it responsibly:

  1. Do not open a public GitHub issue.
  2. Go to github.com/ocpp-debugkit/website/security/advisories/new and create a private security advisory.
  3. Include a description of the vulnerability, steps to reproduce, and potential impact.
  4. You will receive an acknowledgment within 48 hours.
  5. We will investigate and work with you on a fix before any public disclosure.

Security Considerations

This site includes an in-browser trace inspector that processes untrusted input (trace files and pasted content). The following principles are enforced:

  • Browser-local processing — traces are parsed and analyzed entirely in the browser. Trace content is never uploaded to a server.
  • Input validation and size limits — file-size and event-count limits are enforced on trace input (via @ocpp-debugkit/toolkit).
  • Safe JSON parsing — try/catch with size guards on all untrusted input.
  • No dynamic code execution — no eval(), Function(), or similar on untrusted input.
  • Safe rendering — no dangerouslySetInnerHTML or unsafe HTML injection of user content.
  • No secrets in committed files — no credentials, API keys, or tokens.

Scope

This policy applies to this repository (the marketing site, docs, and the in-browser inspector). It does not apply to user-loaded traces or runtime-generated reports — those contain the user's own data and are processed locally in the browser. Vulnerabilities in the underlying library belong in the toolkit repo; vulnerabilities in the native app belong in studio.

There aren't any published security advisories