If you discover a security vulnerability in this project, please report it by:
- Email: Contact the maintainer directly
- GitHub Security Advisory: Use the Security tab to report privately
- Do NOT create a public issue for security vulnerabilities
We will respond within 48 hours and work with you to understand and address the issue.
| Addon | Version | Supported |
|---|---|---|
| netboot.xyz | 1.0.x | ✅ Yes |
| Network UPS Tools | 1.0.x | ✅ Yes |
| Corosync QNetd | 1.0.x | ✅ Yes |
All Docker images are automatically scanned for vulnerabilities:
- Daily Scans: Automated Trivy scans at 02:00 UTC
- Pull Request Scans: Security validation before merge
- Build-time Scans: Images scanned during CI/CD pipeline
- SARIF Reports: Results available in GitHub Security tab
We follow standard CVE severity ratings:
| Severity | Response Time | Action |
|---|---|---|
| 🔴 CRITICAL | Immediate (< 24h) | Emergency patch release |
| 🟠 HIGH | 1-3 days | Priority fix in next release |
| 🟡 MEDIUM | 1-2 weeks | Scheduled fix |
| 🔵 LOW | Best effort | Fixed when convenient |
- ✅ Official Base Images: Alpine Linux and Debian from official sources
- ✅ Minimal Attack Surface: Only required packages installed
- ✅ Image Signing: All images signed with Cosign
- ✅ Regular Updates: Base images updated regularly
- ✅ Non-root User: Services run as unprivileged users where possible
- ✅ Dependency Scanning: npm audit during build
- ✅ Automated Patching: Security updates applied automatically
- ✅ Reproducible Builds: Version-pinned dependencies
- ✅ Supply Chain Security: Verified sources only
- ✅ AppArmor Profiles: Mandatory access control
- ✅ Capability Dropping: Minimal Linux capabilities
- ✅ Network Isolation: Only required ports exposed
- ✅ Read-only Filesystem: Where applicable
Check the Security tab for current vulnerability status.
- Severity: HIGH
- Component:
systeminformationnpm package - Fixed in: Version 1.0.2
- Details: OS Command Injection in fsSize() function
- Resolution: Updated to systeminformation@5.27.14
- Severity: HIGH
- Component: libcurl4, libpam-modules (Debian packages)
- Fixed in: Version 1.0.2
- Details: Various security vulnerabilities in system libraries
- Resolution: Applied apt-get upgrade during build process
- Severity: CRITICAL
- Component: libsqlite3-0
- Status: Partial fix applied via apt-get upgrade
- Note: Fix availability depends on Debian security updates
- Severity: CRITICAL
- Component: zlib1g
- Status: Will not fix (marked by Debian)
- Note: Debian team has marked this as will_not_fix
- Mitigation: Monitor for future updates
- Severity: CRITICAL
- Component: SSH server with hardcoded credentials
- Fixed in: Version 1.0.0
- Details:
- Removed SSH server (openssh-server package)
- Removed hardcoded root password ('root:proxmox')
- Removed PermitRootLogin yes configuration
- Removed password authentication exposure
- Removed port 22 (SSH) from exposed ports
- Resolution: Complete removal of SSH functionality. Service now only exposes Corosync QNetd port 5403.
- Keep Updated: Always use the latest addon version
- Review Logs: Monitor addon logs for suspicious activity
- Network Segmentation: Isolate addons on separate networks if possible
- Backup Regularly: Maintain backups of addon configurations
- Review Permissions: Only grant necessary permissions
- Dependency Updates: Keep dependencies up to date
- Code Review: All PRs require review
- Security Testing: Test security implications of changes
- Secrets Management: Never commit secrets or credentials
- Least Privilege: Follow principle of least privilege
- Maintainer: henryhst
- Repository: https://github.com/henryhst/hassio-addons
- Security Tab: https://github.com/henryhst/hassio-addons/security
All images are scanned with Trivy:
# Scan netboot.xyz image
docker build -t netboot_xyz:test ./netboot_xyz
trivy image netboot_xyz:test
# Scan NUT image
docker build -t nut:test ./nut
trivy image nut:test
# Scan Corosync QNetd image
docker build -t corosyncd:test ./corosyncd
trivy image corosyncd:test
# Scan with specific severity
trivy image --severity CRITICAL,HIGH netboot_xyz:test
# Scan with VEX document (suppress known false positives)
trivy image --vex .vex/nut-known-issues.openvex.json nut:testWe publish VEX statements for known vulnerabilities that are false positives or have mitigated risk:
- Location:
.vex/directory - Format: OpenVEX JSON
- Purpose: Reduce false positives and improve security transparency
- Documentation: See .vex/README.md
VEX statements help security scanners understand which vulnerabilities actually affect our addons.
For netboot.xyz addon:
cd netboot_xyz
# Check for vulnerabilities
npm audit
# Fix automatically
npm audit fix- We follow responsible disclosure practices
- Security issues are fixed before public disclosure
- Credits given to reporters (unless they wish to remain anonymous)
- Security advisories published after fixes are released
- Watch this repository for security updates
- Subscribe to release notifications
- Check the Security tab regularly
- Follow changelog for security fixes
Last Updated: 2025-01-06
For questions about this security policy, please open a discussion or contact the maintainer.