We actively support the following versions of esphome-client with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability in esphome-client, please help us by reporting it responsibly.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please send fill in the form with the following information:

• Subject Line: "Security Vulnerability in esphome-client"
• Description: A detailed description of the vulnerability
• Steps to Reproduce: Clear steps to reproduce the issue
• Impact: Description of the potential impact
• Affected Versions: Which versions are affected
• Suggested Fix: If you have suggestions for fixing the issue

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 5 business days
• Regular Updates: We will try to keep you informed of our progress
• Resolution Timeline: We aim to resolve critical vulnerabilities within 90 days
• Credit: We will credit you for the discovery (unless you prefer to remain anonymous)

We kindly ask that you:

• Give us reasonable time to investigate and fix the issue before public disclosure
• Avoid accessing, modifying, or deleting data that doesn't belong to you
• Don't perform actions that could harm the reliability or integrity of our services
• Don't use social engineering, physical attacks, or attacks against third parties

When using esphome-client:

• Never commit API keys to version control
• Use environment variables or secure configuration files
• Rotate keys regularly
• Use unique keys per device when possible

• Use encrypted connections (Noise protocol) when available
• Validate server certificates in production
• Consider using VPNs or network isolation for IoT devices
• Monitor network traffic for unusual patterns

• Validate all data received from ESPHome devices
• Sanitize data before logging or displaying
• Be cautious with device names and other user-controllable fields

• Keep dependencies up to date
• Regularly audit dependencies for vulnerabilities
• Use cargo audit to check for known vulnerabilities

We are particularly interested in vulnerabilities related to:

• Authentication bypass: Issues with API key validation
• Code injection: Malicious data from devices causing code execution
• Denial of service: Issues that could crash or hang the client
• Information disclosure: Unintended exposure of sensitive data
• Cryptographic issues: Problems with the Noise protocol implementation
• Dependency vulnerabilities: Issues in third-party crates

esphome-client includes several security features:

• Memory safety: Written in Rust, preventing many common vulnerabilities
• No unsafe code: The codebase forbids unsafe code blocks
• Input validation: Protocol messages are validated using protobuf
• Encrypted communication: Support for Noise protocol encryption
• Dependency auditing: Regular security audits of dependencies

This security policy covers:

• The esphome-client library code
• Build scripts and configuration
• Documentation that could affect security
• Dependencies when they affect esphome-client security

This policy does not cover:

• ESPHome firmware vulnerabilities (report to ESPHome project)
• Network infrastructure vulnerabilities
• Operating system or hardware vulnerabilities
• Vulnerabilities in applications using esphome-client (unless caused by the library)

Thank you for helping keep esphome-client and its users safe! 🔒