@frenck, I appreciate you taking the time to respond. Having spent more than a decade and a half in cybersecurity and related fields, may I please make a suggestion? I would suggest that given the majority of the HA user base does not have the background necessary to make this determination, that you provide a follow-up with “best practices” list of steps to perform as a result of this finding.
For example, as you saw in a question you responded to, earlier in this thread, it’s not clear to all that credentials might have been compromised and are suggested be rotated. In general, I don’t believe most of the HA users would know the full gamut of what is and isn’t possible with access to the API, or know how to find and interpret the API documentation. As such, these folks will not know exactly what had the potential to be compromised. Specifically, would be nice to let the users know, in understandable terms, whether their credentials to third-party services were vulnerable, whether input into HA using the GUI, or by being stored in their secrets file, etc.
Since, as you mention, " the goal right now is to inform, create awareness and above all, give people the opportunity to ensure they are protected", it’s important to provide the users with answers to questions they might not even know they need to ask, such as - “Could a a malicious actor, having exploited this vulnerability, potentially have access to my Google Drive, if I set up the third-party Google Drive Backup add-on?”. I full well understand the HA team has no responsibility to secure third-party add-ons, yet I’d bet a good portion of the user base could really use a hand in better understanding the impact and how to react.
All of the above aside, I once again want to express appreciation and applaud the team for jumping on this to remedy the issue, as well as informing the user base of its existence.