first of all, I really apreciate all your work. It’s great to have such an active community with many new features in each an every version!
I am running my HomeAssistant locally in a docker container. It is very easy to update, but usually I only update every 4-6 weeks. So, I am usually some minor versions behind. I can access my local HomeAssistant via Wireguard-VPN from outside my network.
HomeAssistant is very strong in privacy, which is great. On the other hand, you are very weak on communication araound security. In my professional life, I have a lot to do with critical IT infrastructure in a healthcare environment. Every major supplier provides lists of CVEs per version. If there is anything critical, we have to immediately update our infrastructure. (network, servers, major applications, …)
I would love to see HomeAssistant providing security related information: if a critical CVE pops up and updating HomeAssisnant is strongly advised, I would like to know. (This should include not only core HomeAssistant, but all the integrations and favorable HACS as well.)
As far as I can remember, problem already happened in the past with Nabu Casa and the update was quickly pushed and as always with security issues, you first patch it promptly and then once patch is avalaible you publish the informations about it
If you are really concerned about security of your system, I would advise to not use Nabu Casa, keep HA only avalaible from the LAN and use VPN to remotely access it !
Thank you for that link. This page is a good start, but far from good enough.
There is this on the page:
Public disclosure & CVE assignment
We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:
The vulnerability is in Home Assistant itself, not a third-party library.
The vulnerability is not already known to us.
The vulnerability is not already known to the public.
CVEs will only be requested for vulnerabilities with a severity of medium or higher.
If you don’t include third party libraries used within the core of HomeAssistant, you expect me to know all the dependencies. As a non developer, I don’t know the dependencies. (e.g. does HomeAssistant use log4j? There is nothing on the page for the incident of 2021, but I guess, log4j is/was part of the dependencies. The community should have been informed about it and everybody should have updated their installation immediately.)
Past advisories
…
There is one CVE mentioned for 2025, none for 2024, 11 for 2023 and 1 for 2017.
For a web application undergoing that much change, I would expect much more CVEs.
In order to take security seriously, puplished CVEs should include integrations as well. You should start forcing the integration provider to publish their dependencies and versions. I know, this is probably not feasable right now, but should be in your strategy. If HomeAssistant is well managed and secure, but I have 10 integrations calling APIs on the internet and doing all other sorts of things, their is some risk to it.
That’s what I do:
There is the modem/router from my internet service provider with its own firewall and NAT.
Behind that, there is my Unifi network with its own firewall and network segmentation.
HomeAssistant running in docker container with a macvlan to be able to have the container in a different VLAN, then my server.
I can remote access via wireguard VPN into my network.
There is some level of security, but this is nothing you could expect from a normal user.
