The following versions of the OCPI 2.2.1 EMSP Simulator are currently receiving security updates:

We take security seriously. If you discover a vulnerability in this project, we ask that you do not open a public GitHub issue. Public disclosure of a security vulnerability before it is patched could put users at risk.

Please report security vulnerabilities by emailing us directly:

📧 savekarev@gmail.com

Use the subject line: [SECURITY] OCPI-EMSP-Simulator - <brief description>

Please include as much of the following information as possible to help us understand the nature and scope of the vulnerability:

• Description of the vulnerability and its potential impact.
• Steps to reproduce the vulnerability.
• Affected versions of the project.
• Any proof-of-concept code or screenshots (if applicable).
• Any suggested mitigations you may have.

• We will acknowledge your report within 48 hours.
• We will investigate and triage the issue within 7 days.
• We will work with you to understand and validate the issue.
• We will release a patch as quickly as possible and notify you when it is available.
• We will credit you (with your permission) in the release notes for responsibly disclosing the issue.

This simulator is designed as a developer testing tool and is not intended for production deployment with real user data. However, we still take security seriously for the following reasons:

• The simulator handles authentication tokens (OCPI Token A/B/C).
• It may be run in shared or CI/CD environments where token leakage could occur.
• Vulnerabilities affecting the protocol implementation could propagate to CPO implementations that rely on this simulator for validation.

• Authentication bypass or token leakage.
• Injection vulnerabilities (command injection, path traversal, etc.).
• Unsafe deserialization or schema-parsing vulnerabilities.
• Dependency vulnerabilities in requirements.txt.

• Issues only reproducible in a misconfigured environment.
• Issues with the OCPI 2.2.1 specification itself (report to the OCPI working group).
• Denial-of-service attacks on a locally running development instance.

When running this simulator, we recommend:

1. Never commit config.yaml — it contains sensitive tokens. It is already in .gitignore.
2. Use strong, randomly generated tokens for bootstrap_token, emsp_token_to_cpo, and cpo_token_to_emsp.
3. Run on localhost only during development. Do not expose the simulator to the public internet without proper firewall rules.
4. Keep dependencies updated: Regularly run pip install --upgrade -r requirements.txt.

Thank you for helping keep the EV developer community safe. 🔐