| Version | Supported |
|---|---|
| 1.0.x | ✅ |
FirePath-Core is designed as a local-first, zero-network financial calculator. This architecture eliminates entire categories of security threats by design.
- No network requests — No
fetch,XMLHttpRequest,WebSocket, or any outbound calls. Verify yourself:grep -rn "fetch\|XMLHttpRequest\|WebSocket\|\.ajax\|sendBeacon" fire_math.js fire_calculator.html - No server-side processing — All calculations run in the browser
- No data storage on remote servers — Your financial data never leaves your machine
- No authentication or accounts — Nothing to breach
- No third-party analytics or tracking — No cookies, no telemetry
- No CDN dependencies at runtime — Chart.js is bundled inline via
build.js
| Vector | Risk | Mitigation |
|---|---|---|
| XSS via CSV import | Low | Input sanitization applied to all CSV-parsed values (fixed in 2bd6dc8) |
| XSS via scenario rendering | Low | Template outputs are escaped before DOM insertion |
| Malicious CSV file | Low | Parser validates structure; no eval() or dynamic code execution |
| Supply chain (npm) | Low | Only 2 dependencies (chart.js, jest); Dependabot enabled |
| Local file tampering | Medium | Users should verify file integrity via git checksums |
| Browser extension interference | Medium | Outside project scope; users should audit extensions |
- Inputs: All financial inputs are entered by the user and stored only in browser memory during the session
- Assumption files (
.fire-assumptions.json): Contain only modeling parameters (rates, ages, allocations) — no account numbers, balances, or PII - CSV import: Parsed entirely in JavaScript; raw file content is never persisted
If you discover a security vulnerability in FirePath-Core, please report it responsibly:
- Email: Open a GitHub Security Advisory (preferred)
- Alternatively: Open a private issue on the repository
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix release: Within 30 days for confirmed vulnerabilities
- XSS or injection vulnerabilities in CSV parsing or UI rendering
- Data leakage (any code path that transmits user data externally)
- Dependency vulnerabilities with a viable exploit path
- Logic errors in financial calculations that could mislead users
- Issues requiring physical access to the user's machine
- Browser-specific bugs outside the project's control
- Social engineering attacks
- Vulnerabilities in dependencies without a demonstrated exploit in this project
- Download from the official repo — Only use releases from github.com/sandseb123/FirePath-Core
- Verify file integrity — Compare checksums after download
- Keep dependencies updated — Run
npm auditperiodically if using the dev setup - Use a modern browser — Ensures latest security patches and CSP support
- Don't modify and re-share — If you fork, audit your changes for security