Skip to content

Security: asdteke/HomeInventory

SECURITY.md

🛡️ Security Matters to Us

Keeping HomeInventory—and the data of everyone who uses it—safe and secure is one of our absolute top priorities. We deeply appreciate the security community's work in helping us protect our users.

Thank you for taking the time to report any vulnerabilities you find. Let's work together to fix them quickly and safely!

📌 Supported Versions

Currently, we focus our security patches and fixes on our active development branch.

Version Actively Supported
main ✅ Yes
Older snapshots, forks & unmaintained branches ❌ No

🕵️‍♀️ How to Report a Vulnerability

Please do not report security vulnerabilities in public GitHub issues, discussions, or pull requests. Doing so might put our users at risk before we have a chance to fix the issue.

Instead, please follow this safe process:

  1. Use GitHub's Private Reporting: If this repository has "Private vulnerability reporting" enabled, please use that feature! It's the fastest and safest way to reach us.
  2. Use a private contact route if one is publicly listed: If the repository, project website, or deployment publishes a support or maintainer contact address, please use that before sharing any details publicly.
  3. If no private route is listed: Open a very short public issue that does not include the vulnerability details and only asks the maintainer for a private way to report it.

When you send us a report, please try to include:

  • The specific endpoint, feature, or area affected.
  • Clear, step-by-step instructions or a proof-of-concept (PoC) to help us reproduce the issue.
  • The expected impact of the vulnerability.
  • Whether someone needs to be authenticated or have special settings to exploit it.
  • Any ideas you have for a fix or mitigation! (We love suggestions).

⏱️ What to Expect from Us

We take your reports seriously. Here is what we aim for:

  • We will acknowledge receipt of a valid report as quickly as we can.
  • We will work to reproduce the issue and assess its severity.
  • We will decide on a fix or mitigation plan and share status updates when possible.
  • When appropriate, we will coordinate public disclosure after a patch or mitigation is available.

(Please note: We are humans, so response times might vary a bit based on the complexity of the issue and our availability, but we won't ignore you!)

🎯 High-Priority Areas

We are especially interested in reports regarding:

  • Authentication or authorization bypasses.
  • Issues with our 2FA, recovery keys, or trusted-device flows.
  • Weaknesses in our encryption, critical key handling, or secret management.
  • Vulnerabilities in file uploads, media processing, or backup integrations.
  • Anything that leads to account takeover, privilege escalation, or unauthorized data exposure.

🤝 Safe Harbor

We consider your work a valuable contribution to this project. If you act in good faith, avoid violating the privacy of our users, avoid disrupting our services (no DDoS, please!), and give us a reasonable amount of time to patch the issue before making it public, we will treat your research as a responsible, highly appreciated security report.

There aren't any published security advisories