Transparency is a security requirement
A tool that processes your organisation's cybersecurity vulnerabilities must be trustworthy. The only way to be certain about what a tool does with your data is to be able to read the source code yourself. Open Risk Register is fully open source for exactly this reason.
Fully auditable
Every function that reads, writes, or processes your assessment data is in the open. No obfuscation, no minified-only releases.
Self-hostable
Download the built files and serve them from your own infrastructure. Run it on an air-gapped machine for maximum security.
Community-maintained
Bug reports, improvements, and new features are welcome. The more people who review the code, the more robust and trustworthy the tool becomes.
Built with plain web technologies
Open Risk Register uses vanilla HTML, CSS, and JavaScript — no frameworks, no dependencies, no tracking libraries. This keeps the tool fast, secure, and easy to audit.
| Layer | Technology | Notes |
|---|---|---|
| Markup | HTML5 | Semantic, accessible, ARIA roles throughout |
| Styling | CSS3 (no frameworks) | CSS custom properties design system; no inline styles |
| Scripting | Vanilla JavaScript (ES2020+) | ES modules; no frameworks; no external dependencies |
| Storage | Browser localStorage | All assessment data stored locally; nothing sent to server |
| Build tool | esbuild 0.23 | Bundles and minifies JS + CSS; no runtime build step |
| Font | Roboto Flex (self-hosted) | Variable font; loaded from /dist/ with no external CDN calls |
| Security | Strict CSP | script-src 'self'; style-src 'self'; no unsafe-inline; no eval |
Find us on GitHub
The full source code for Open Risk Register is available on GitHub under an open source licence. You can browse the code, open issues, submit pull requests, or fork the project for your own use.
View on GitHub →Ready to use the tool?
No installation required. Open it in your browser and start your risk assessment.
Start Assessment →