| Version | Supported |
|---|---|
| 2.6.x | Yes |
| 2.5.x | Yes |
| < 2.5 | No |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email the maintainer at the address listed on their GitHub profile
- Include a description of the vulnerability, steps to reproduce, and potential impact
- Allow reasonable time for a fix before public disclosure
M.A.S.S. Trap is designed for local network use (home WiFi). It is not intended to be exposed to the public internet. Keep the following in mind:
- API authentication: All API endpoints require an
X-API-Keyheader (set via OTA password in config) - WiFi credentials: Stored in LittleFS on the device, never transmitted over ESP-NOW
- OTA updates: Protected by password authentication
- Web UI: Served over HTTP (not HTTPS) on local network only
- ESP-NOW: Unencrypted broadcast protocol used for device-to-device communication on the same WiFi channel
Security reports are welcome for:
- Authentication bypass on API endpoints
- Cross-site scripting (XSS) in the web dashboard
- Credential exposure in firmware or web UI
- Unauthorized OTA firmware uploads
Out of scope:
- Physical access attacks (if someone has physical access to the ESP32, security is moot)
- Denial of service on local network
- Issues requiring man-in-the-middle on the local network