The security of this project is taken seriously. We appreciate your efforts to responsibly disclose any findings and will make every effort to acknowledge your contributions.

Security updates are provided only for the latest released version of this library on PyPI. Users are strongly encouraged to keep their installations up to date.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, report them privately through GitHub's private vulnerability reporting:

Report a vulnerability

If for any reason you are unable to use GitHub's private vulnerability reporting, you may also reach out to the maintainer by email at opensource@frenck.dev.

When reporting, please include as much of the following as possible:

• A clear description of the vulnerability and its potential impact.
• Steps to reproduce, or a proof of concept.
• Affected version(s) of the library.
• Any known mitigations or workarounds.

• Acknowledgement: you will receive an acknowledgement of your report within 48 hours.
• Initial assessment: a triage and initial severity assessment will be shared within 7 days of the acknowledgement.
• Fix and disclosure: valid reports are targeted for resolution and coordinated public disclosure within 90 days of the initial report, depending on complexity and impact.

You will be kept informed throughout the process and credited in the release notes for the fix, unless you prefer to remain anonymous.

The following are not considered security vulnerabilities in this project:

• Vulnerabilities in upstream or transitive dependencies. These are handled continuously by Renovate and addressed through regular dependency updates.
• Issues only reproducible on Python versions older than those listed as supported in pyproject.toml.
• Issues in the WLED firmware itself; please report those directly to the WLED project.
• Denial-of-service or data-exposure conditions resulting from malformed or hostile responses from a WLED device the client is explicitly pointed at. This library assumes the configured endpoint is trusted.

This security policy covers the wled Python package published on PyPI and its source code in this repository.