Only the latest release of Budpy (web app and firmware) receives security fixes. Please update to the most recent version before reporting.
Please do not open a public issue for security vulnerabilities.
Instead, report it privately via GitHub Security Advisories.
Include:
- A description of the vulnerability and its impact
- Steps to reproduce or a proof of concept
- The affected area (web app, firmware, a specific plugin)
You should receive an acknowledgement within a few days. Once the issue is confirmed and fixed, the fix will be released and the advisory published.
- Budpy stores WiFi credentials and API tokens (e.g. Home Assistant) in plain text on the device filesystem and in the browser's localStorage. This is a known design constraint of the platform, not a reportable vulnerability — only flash devices and use tokens you control.
- Firmware HTTPS requests currently skip certificate validation
(
setInsecure()), which is a known limitation of the ESP32 TLS setup.