DeclaRenta processes sensitive financial and tax data. Your data never leaves your machine — all processing happens locally (browser or CLI).
Please do not report security vulnerabilities through public GitHub issues.
Instead, please use GitHub's private vulnerability reporting:
- Go to https://github.com/GeiserX/DeclaRenta/security/advisories
- Click "Report a vulnerability"
- Fill out the form with details
We will respond within 48 hours and work with you to understand and address the issue.
- Type of issue (e.g., XSS, data leak, incorrect tax calculation)
- Full paths of affected source files
- Step-by-step instructions to reproduce
- Proof-of-concept or exploit code (if possible)
- Impact assessment and potential attack scenarios
| Version | Supported |
|---|---|
| 0.x.x | Current release |
Only the latest version receives security updates.
DeclaRenta is designed so that no financial data ever leaves your machine:
- Browser mode: All processing happens in-browser via JavaScript. No server calls except ECB exchange rates (public data).
- CLI mode: Runs entirely on your local machine. Network calls only for ECB rates (cacheable).
- No analytics, no tracking, no telemetry.
- No user accounts, no authentication.
IBKR XML file → [your browser/CLI] → Tax report (local)
↓
ECB rates API (public, cacheable)
- Upload your broker data to any server
- Store any financial information
- Track usage or collect analytics
- Require authentication or accounts
- Never add network calls that send user financial data anywhere
- Validate all input from XML files (malformed XML should not crash)
- Use Decimal.js for all monetary calculations (never floating-point)
- Never log financial amounts, NIF, or personal data
- Download from official sources only (GitHub releases, npm)
- Verify the domain if using the web version
- Keep updated to the latest version
- Review the source — it's open source for exactly this reason
For security questions that aren't vulnerabilities, open a GitHub Discussion.
Last updated: April 2026