Please do not open a public issue for security vulnerabilities.

Report privately via GitHub Security Advisories or by emailing the maintainer directly.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

This is a single-maintainer open-source project. I will do my best to:

• Acknowledge your report within 7 days
• Assess and respond with a plan within 14 days
• Release a fix within 30 days where technically feasible

Relevant areas for this project:

• XSS via entity attributes — card renders data from Home Assistant entity attributes into the DOM
• Inline style injection — slot_colors config values are written into inline style attributes
• Dependency vulnerabilities — third-party packages (lit, vite, etc.)
• External image loading — avatar URLs are loaded from avatars.githubusercontent.com

• Vulnerabilities in Home Assistant core or the GitHub integration itself
• Issues requiring physical access to the HA instance
• Social engineering attacks