We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of our integration seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Email: Send details to garthdb@gmail.com
- GitHub Security Advisory: Use the Security Advisory feature
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Initial Response: Within 48 hours, you'll receive acknowledgment of your report
- Status Updates: We'll keep you informed about our progress
- Fix Timeline: We aim to release a fix within 90 days of initial report
- Credit: With your permission, we'll credit you in the security advisory
- Credentials Storage: User credentials are stored in Home Assistant's secure config entry system
- Token Handling: API tokens are stored in memory only and refreshed as needed
- No Logging: Credentials and tokens are never logged
- HTTPS Only: All API communication uses HTTPS
- Token Authentication: API tokens are sent in headers, not URLs
- Rate Limiting: Built-in rate limiting prevents abuse
- Local Processing: All data processing happens locally in Home Assistant
- No Third-Party Sharing: We don't share data with any third parties
- Minimal Data Collection: Only necessary device and temperature data is fetched
- Regular Updates: Dependencies are regularly updated for security patches
- Minimal Dependencies: We use minimal external dependencies
- Dependency Scanning: Automated security scanning via GitHub Actions
- Strong Passwords: Use strong, unique passwords for your FireBoard account
- Keep Updated: Keep Home Assistant and this integration updated
- Secure Network: Ensure your Home Assistant instance is on a secure network
- HTTPS: Access Home Assistant over HTTPS
- Firewall: Use a firewall to restrict access to Home Assistant
- Cloud API Dependency: This integration relies on FireBoard's cloud API
- API Rate Limits: FireBoard enforces rate limits (200 calls/hour)
- No Local Access: Currently no support for local network access
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
- Publish a security advisory on GitHub
To receive security updates:
- Watch Repository: Click "Watch" → "Custom" → "Security alerts"
- GitHub Notifications: Enable notifications for security advisories
- HACS: Keep HACS integration updated for automatic notifications
- ✅ Secure credential storage via Home Assistant config entries
- ✅ HTTPS-only API communication
- ✅ Token-based authentication with automatic refresh
- ✅ Rate limiting to prevent API abuse
- ✅ No credential logging
- ✅ Automated dependency security scanning
- ✅ Regular security updates
For security concerns, contact:
- Email: garthdb@gmail.com
- GitHub: @GarthDB
We appreciate the security research community and will credit researchers who responsibly disclose vulnerabilities (with their permission).