JSONCraft is currently in active development. Security fixes are applied to the latest version only.

JSONCraft is a fully client-side, browser-based tool. It has:

• ❌ No backend server
• ❌ No database
• ❌ No user accounts or authentication
• ❌ No data transmission — JSON input never leaves your browser
• ❌ No cookies or persistent storage
• ✅ Zero dependencies

This significantly limits the attack surface. However, vulnerabilities in client-side JavaScript (e.g. XSS, malicious input handling, unsafe DOM manipulation) are still taken seriously.

If you discover a security vulnerability in JSONCraft, please do not open a public GitHub Issue.

Instead, report it privately by emailing:

📧 Gh5sty@protonmail.com

Please include:

• A clear description of the vulnerability
• Steps to reproduce it
• The potential impact
• Any suggested fix (optional but appreciated)

You can expect an acknowledgement within 72 hours and a resolution or update within 7 days depending on severity.

The following are considered in scope for security reports:

• Cross-site scripting (XSS) via crafted JSON input
• Unsafe eval() or dynamic code execution
• Malicious file downloads generated by the tool
• Unintended data exfiltration

The following are out of scope:

• Vulnerabilities in the user's own browser or OS
• Social engineering attacks
• Issues in third-party hosting platforms (e.g. Netlify)
• Theoretical vulnerabilities with no practical exploit

JSONCraft follows responsible disclosure. Once a fix is released, the vulnerability may be publicly disclosed with credit to the reporter (unless anonymity is requested).

Since JSONCraft runs entirely in your browser:

• You can use it offline for sensitive JSON data by cloning the repo and opening index.html locally
• Avoid pasting sensitive credentials, API keys, or personal data into any online tool
• The hosted version at js0ncraft.netlify.app is served over HTTPS

This security policy was last updated: March 2026