Last updated: 2025-09-16

We support the latest version of the Send to Home Assistant extension. Please ensure you are using the most recent release before reporting any security issues.

Do NOT create a public GitHub issue for security vulnerabilities.

Please report security issues using one of the following methods:

• GitHub Security Advisory: Use GitHub’s “Report a vulnerability” feature on this repo.

• Clear description of the vulnerability
• Impact (potential attacker actions)
• Reproduction steps
• Environment details (browser, extension, OS versions)
• Proof of concept (if possible)

This extension processes sensitive information:

• URLs, page titles, selected text
• Home Assistant webhook URLs and credentials
• Browser extension permissions

• XSS Prevention: Data is sanitized before display (test page)
• Data Transmission: Data is sent only to your configured Home Assistant instance
• Storage Security: Configurations are stored securely in the browser
• Permissions: Extension requests only the minimum required permissions

• Acknowledgment: Within 72 hours
• Assessment: Within 1 week
• Resolution: As soon as possible, depending on complexity

We support responsible disclosure. No legal action will be taken against researchers who:

• Report vulnerabilities through the channels above
• Minimize impact to users and data
• Avoid testing on others' systems without permission
• Allow us reasonable time to resolve issues prior to public disclosure

• Use HTTPS for your Home Assistant instance
• Keep the extension updated
• Use long, random webhook IDs
• Secure your Home Assistant network
• Regularly review extension permissions

• No personal data is collected
• No data sent to third parties
• Data sent only to your configured Home Assistant webhook
• Configuration is stored locally in secure browser storage

See the Privacy Notice for details.

For security-related questions or concerns, please use the reporting methods above.

Thank you for helping keep Send to Home Assistant secure!