Home Assistant hired Cure53 to do a security audit as part of our regular security assessments. You are safe. No authentication bypasses have been found.

All reported issues have been addressed as part of Home Assistant 2023.9, released on September 6, 2023

  • Cure53 found issues in Home Assistant, 3 of which were marked as “critical” severity
  • The GitHub Security Lab also audited Home Assistant and found six non-critical issues. Two of the issues overlapped with Cure53.
  • No authentication bypasses have been found
  • rhymepurple@lemmy.mlEnglish
    4·
    8 months ago

    I agree that Home Assistant’s audit is a good thing. While I love that Home Assistant is open source, I’m not sure how that impacts the audit. Proprietary, closed source software can be audited with few differences from an open source software’s audit. The biggest difference is that you, myself, or anyone could audit open source software, but it would not be easy for that to happen with closed source software.

    • AliasAKA@lemmy.worldEnglish
      1·
      8 months ago

      Sure, but closed source audits aren’t often made public. So we don’t know when, or how, closed source software is audited. Beyond just our ability to self audit open source, we often get better reporting on the contracted audits performed on open source software.

    • Big P@feddit.ukEnglish
      1·
      8 months ago

      It’s easier to find something like XSS or auth bypass when you can read the code