jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-28 11:47:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update security page (#29291)

Browse Source 
* Update security page

* Typo

* Process review comments

* Add details for CVE-2017-16782

* Fix markdown

* Process review comments

* a -> an

Co-authored-by: c0ffeeca7 <38767475+c0ffeeca7@users.noreply.github.com>

* Slight wording change

---------

Co-authored-by: c0ffeeca7 <38767475+c0ffeeca7@users.noreply.github.com>
This commit is contained in:
Franck Nijhof 2023-10-11 09:16:54 +02:00 committed by GitHub
parent 4faba931e5
commit c6805b9d82
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 75 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
source/security/index.markdown
View File

@ -1,11 +1,81 @@
---
title: "Security"
description: "Information about disclosing security vulnerabilities in Home Assistant."
description: "Home Assistant takes its security seriously. This page contains information about how we handle security issues, how to report them, and also information on past security issues."
---
If you think that you have found a security vulnerability in Home Assistant, please disclose it to us via our security e-mail address at [security@home-assistant.io](mailto:security@home-assistant.io).
Home Assistant takes its security seriously. We will do everything in our power to ensure that our users are safe.
Please do not make vulnerabilities public without notifying us and giving us at least 3 days to respond.
This page is intended to provide information about how to report security issues with us, and how they are handled. Additionally, it provides details about reported security issues we have [handled in the past](#past-advisories).
If you are going to write about Home Assistant's security, please get in touch, so we can make sure that all claims are correct.
## Reporting a vulnerability
So, you have found a security vulnerability in Home Assistant? Please, be sure to [**responsibly disclose**](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) it to us by [reporting a vulnerability using GitHub's Security Advisory](https://github.com/home-assistant/core/security/advisories/new).
**DO NOT MAKE A PUBLIC ISSUES FOR SECURITY VULNERABILITIES!**
We are mostly interested in reports by actual Home Assistant users that are familiar with the platform, but all high quality contributions are welcome. Please do your best to describe a clear and realistic impact for your report.
For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Home Assistant, like many open source projects, is relying heavily on volunteers that aren't full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.
If you are going to write about Home Assistants security, please [get in touch](mailto:hello@home-assistant.io), so we can ensure that all claims are correct.
### Non-qualifying vulnerabilities
We will not accept reports of vulnerabilities of the following types:
- Reports from automated tools or scanners.
- Theoretical attacks without proof of exploitability.
- Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).
- Social engineering.
- Attacks that require the user to have access to the Home Assistant host system.
- Attacks involving physical access to a users device, or involving a device or network thats already seriously compromised (like, man-in-the-middle).
- Attacks that require the user to install a malicious other software, like a third-party integration, add-on, or plugin.
- Attacks that the user can only perform against their own setup.
- Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account ([more information](/docs/authentication/#user-accounts)).
### Supported versions
We only accept reports against the latest stable & official versions of Home Assistant or any versions beyond that are currently in development or beta test. The latest version can be found on our [GitHub releases page](https://github.com/home-assistant/core/releases).
We do not accept reports against forks of Home Assistant.
### Severity scoring
If you are familiar with [CVSS3.1](https://www.first.org/cvss/v3.1/specification-document), please provide the vulnerability score in your report in the shape of a vector string. Theres a [calculator](https://www.first.org/cvss/calculator/3.1) that can be helpful. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.
If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading the [Specification](https://www.first.org/cvss/v3.1/specification-document) and [Scoring Guide](https://www.first.org/cvss/v3.1/user-guide#Scoring-Guide)), as we will not accept reports that use it incorrectly.
### Public disclosure & CVE assignment
We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:
- The vulnerability is in Home Assistant itself, not a third-party library.
- The vulnerability is not already known to us.
- The vulnerability is not already known to the public.
- CVEs will only be requested for vulnerabilities with a severity of medium or higher.
### Bounties
As an open source project, Home Assistant cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.
## Past advisories
The following is a list of past security advisories that have been published by the Home Assistant project.
**2023-03-08: Authentication bypass Supervisor API**
Severity: _Critical (CVSS: 10.0)_
Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25)_
Assigned CVE: _[CVE-2023-27482](https://nvd.nist.gov/vuln/detail/CVE-2023-27482)_
Discovered by: _[Joseph Surin](https://jsur.in/) from [elttam](https://www.elttam.com/)_
Fixed in: _Core 2023.3.2, Supervisor 2023.03.3_
**2017-10-11: Cross-site scripting in Markdown output**
Severity: _Medium (CVSS: 6.1)_
Detailed information: _[Pull request](https://github.com/home-assistant/frontend/pull/514)_
Assigned CVE: _[CVE-2017-16782](https://nvd.nist.gov/vuln/detail/CVE-2017-16782)_
Discovered by: _Marcin Teodorczyk from [intive.com](https://intive.com/)_
Fixed in: _Core 0.57_
---
_This security page is heavily inspired by the one from [OctoPrint](https://octoprint.org). ❤️ If you are into 3D printing, check them out!_