With the nature of the integration, security issues and bugs are taken very seriously. I appreciate your efforts to responsibly disclose your findings and I will acknowledge your finding in the security advisory and release notes of the release that fixes your vulnerability. Together, we will keep the Home Assistant community safe.
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab. Do not make a public issue for your security vulnerability!
I (@christiaangoossens) will review security advisories regularly and send you a response indicating next steps in handling your report. This might include fixing the vulnerability before disclosing its nature, or working together in a private branch on a fix.
Please note that this repository is maintained on a volunteer basis, I will try to respond quickly, but no guarantees.
If your bug has to do with a third party package, please have it fixed there first, such that we can include a fixed version in an update of hass-oidc-auth. If you found a security vulnerability in Home Assistant itself, please report it at https://www.home-assistant.io/security/
Some vulnerabilities do not qualify for fixing in a security patch. The Home Assistant team has made a list of them over at https://www.home-assistant.io/security/#non-qualifying-vulnerabilities.