If you have found a vulnerability in ESPHome, please be sure to responsibly disclose it to us by reporting a vulnerability using GitHub’s Security Advisory.

DO NOT MAKE A PUBLIC ISSUE FOR SECURITY VULNERABILITIES!

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that ESPHome, like many open source projects, is relying heavily on volunteers that aren’t full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.

We only accept reports against the latest stable & official versions of ESPHome or any versions beyond that are currently in development or beta test. The latest version can be found on our GitHub releases page.

We do not accept reports against forks of ESPHome.

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:

• The vulnerability is in ESPHome itself, not any third-party library or external component.
• The vulnerability is not already known to us.
• The vulnerability is not already known to the public.
• CVEs will only be requested for vulnerabilities with a severity of medium or higher.

As an open source project, ESPHome cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.