Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update security page #29291

Merged
merged 8 commits into from
Oct 11, 2023
Merged

Update security page #29291

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a59811f
Update security page
frenck Oct 10, 2023
812d50f
Typo
frenck Oct 10, 2023
3209181
Process review comments
frenck Oct 10, 2023
5230eff
Add details for CVE-2017-16782
frenck Oct 10, 2023
44d980a
Fix markdown
frenck Oct 10, 2023
1c68c2c
Process review comments
frenck Oct 10, 2023
722211c
a -> an
frenck Oct 11, 2023
455c077
Slight wording change
frenck Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 75 additions & 5 deletions source/security/index.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,81 @@
---
title: "Security"
description: "Information about disclosing security vulnerabilities in Home Assistant."
description: "Home Assistant takes its security seriously. This page contains information about how we handle security issues, how to report them, and also information on past security issues."
---

If you think that you have found a security vulnerability in Home Assistant, please disclose it to us via our security e-mail address at [[email protected]](mailto:[email protected]).
Home Assistant takes its security seriously. We will do everything in our power to ensure that our users are safe.

Please do not make vulnerabilities public without notifying us and giving us at least 3 days to respond.
This page is intended to provide information about how to report security issues with us, and how they are handled. Additionally, it provides details about reported security issues we have [handled in the past](#past-advisories).

If you are going to write about Home Assistant's security, please get in touch, so we can make sure that all claims are correct.

## Reporting a vulnerability

So, you have found a security vulnerability in Home Assistant? Please, be sure to [**responsibly disclose**](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) it to us by [reporting a vulnerability using GitHub's Security Advisory](https://github.com/home-assistant/core/security/advisories/new).

**DO NOT MAKE A PUBLIC ISSUES FOR SECURITY VULNERABILITIES!**

We are mostly interested in reports by actual Home Assistant users that are familiar with the platform, but all high quality contributions are welcome. Please do your best to describe a clear and realistic impact for your report.

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Home Assistant, like many open source projects, is relying heavily on volunteers that aren't full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.

If you are going to write about Home Assistant’s security, please [get in touch](mailto:[email protected]), so we can ensure that all claims are correct.

### Non-qualifying vulnerabilities

We will not accept reports of vulnerabilities of the following types:

- Reports from automated tools or scanners.
frenck marked this conversation as resolved.
Show resolved Hide resolved
- Theoretical attacks without proof of exploitability.
- Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).
frenck marked this conversation as resolved.
Show resolved Hide resolved
- Social engineering.
- Attacks that require the user to have access to the Home Assistant host system.
frenck marked this conversation as resolved.
Show resolved Hide resolved
- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (like, man-in-the-middle).
- Attacks that require the user to install a malicious other software, like a third-party integration, add-on, or plugin.
- Attacks that the user can only perform against their own setup.
- Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account ([more information](/docs/authentication/#user-accounts)).

### Supported versions

We only accept reports against the latest stable & official versions of Home Assistant or any versions beyond that are currently in development or beta test. The latest version can be found on our [GitHub releases page](https://github.com/home-assistant/core/releases).

We do not accept reports against forks of Home Assistant.

### Severity scoring

If you are familiar with [CVSS3.1](https://www.first.org/cvss/v3.1/specification-document), please provide the vulnerability score in your report in the shape of a vector string. There’s a [calculator](https://www.first.org/cvss/calculator/3.1) that can be helpful. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.

If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading the [Specification](https://www.first.org/cvss/v3.1/specification-document) and [Scoring Guide](https://www.first.org/cvss/v3.1/user-guide#Scoring-Guide)), as we will not accept reports that use it incorrectly.

### Public disclosure & CVE assignment

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:
frenck marked this conversation as resolved.
Show resolved Hide resolved

- The vulnerability is in Home Assistant itself, not a third-party library.
frenck marked this conversation as resolved.
Show resolved Hide resolved
- The vulnerability is not already known to us.
- The vulnerability is not already known to the public.
- CVEs will only be requested for vulnerabilities with a severity of medium or higher.

### Bounties

As an open source project, Home Assistant cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.

## Past advisories

The following is a list of past security advisories that have been published by the Home Assistant project.

**2023-03-08: Authentication bypass Supervisor API**
Severity: _Critical (CVSS: 10.0)_
Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25)_
Assigned CVE: _[CVE-2023-27482](https://nvd.nist.gov/vuln/detail/CVE-2023-27482)_
Discovered by: _[Joseph Surin](https://jsur.in/) from [elttam](https://www.elttam.com/)_
Fixed in: _Core 2023.3.2, Supervisor 2023.03.3_

**2017-10-11: Cross-site scripting in Markdown output**
Severity: _Medium (CVSS: 6.1)_
Detailed information: _[Pull request](https://github.com/home-assistant/frontend/pull/514)_
Assigned CVE: _[CVE-2017-16782](https://nvd.nist.gov/vuln/detail/CVE-2017-16782)_
Discovered by: _Marcin Teodorczyk from [intive.com](https://intive.com/)_
Fixed in: _Core 0.57_

---

_This security page is heavily inspired by the one from [OctoPrint](https://octoprint.org). ❤️ If you are into 3D printing, check them out!_