Security & Privacy
VEX Triage is a focused vulnerability analysis editor — not a full VEX authoring tool. It was designed from the ground up for security-conscious users. Here's exactly how it works and why you can trust it with your data.
Client-Side Only Architecture
VEX Triage runs entirely in your browser. There is no server-side processing, no API calls, and no backend infrastructure beyond static file hosting. Your VEX documents are never transmitted over the network.
The application is hosted as static files on AWS CloudFront (S3 origin). Once the HTML, CSS, and JavaScript files are loaded, the application makes zero additional network requests.
Data Flow
Here's the exact path your data takes:
At no point does your document content leave JavaScript's in-memory heap. The browser's File API reads your file directly; the Blob API writes it back to your disk. No intermediate servers, no temporary storage.
Zero Third-Party JavaScript
VEX Triage contains zero npm packages and loads zero external scripts. Every line of JavaScript is first-party code written specifically for this application.
This is a deliberate security decision, not a constraint. Third-party JavaScript introduces supply chain risk — and for an application that handles vulnerability data, we believe that risk is unacceptable.
- No npm, no node_modules, no package.json
- No CDN-loaded libraries
- No build step — source files are what ships
- Fonts are self-hosted, not loaded from Google Fonts CDN
Complete Network Request Table
These are the only network requests VEX Triage makes, all during initial page load:
| Resource | Type | Origin | Purpose |
|---|---|---|---|
*.html |
Document | Same origin | Page structure |
css/*.css |
Stylesheet | Same origin | Styling |
js/*.js |
Script | Same origin | Application logic |
assets/fonts/*.woff2 |
Font | Same origin | Typography |
No requests are made during editing or saving. Open your browser's Network tab and verify.
localStorage Usage
VEX Triage uses localStorage for the following — all opt-in or UI preferences only:
| Key | Value | Purpose |
|---|---|---|
vexeditor-theme |
"light" or "dark" |
Remember your theme preference |
vexeditor-autosave |
"true" or "false" |
Remember your auto-save toggle preference |
vexeditor-session |
JSON document | Your working document (only when auto-save is enabled) |
Document content is stored in your browser only when you enable the auto-save toggle in the toolbar — it is off by default. You can discard the saved session at any time from the upload screen. No user identifiers are ever stored. All data remains in your browser's localStorage and is never transmitted.
Content Security Policy
VEX Triage is served with strict CSP headers configured at the CloudFront level:
The connect-src 'none' directive means the browser will block any attempt to make network requests from JavaScript — even if a bug existed in the code.
Verify It Yourself
Don't take our word for it. Here's how to confirm everything above:
- Open DevTools (F12 or Cmd+Opt+I)
- Network tab — Load the editor, upload a file, edit it, save it. Watch the network tab — after initial page load, you'll see zero requests.
- Sources tab — Browse all JavaScript. There's no minification, no bundling. Read every line.
- Application tab — Check localStorage, cookies, service workers. You'll find only the theme preference.
- View Source — Right-click → View Page Source. What you see is what runs. No build step transforms the code.
What We Don't Do
- No analytics or tracking scripts
- No cookies of any kind
- No service workers caching document content
- No telemetry or error reporting
- No user accounts or authentication
- No server-side processing or Lambda functions