Security & Vulnerability Disclosure

We take security seriously. If you find a vulnerability, report it responsibly.

Responsible Disclosure Policy

If you discover a security vulnerability in Hugin or hugin.nu, we ask that you report it responsibly. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and release a fix. We are committed to working with security researchers and will acknowledge your contribution.

Scope

The following are in scope for security reports:

  • Hugin desktop application (all platforms)
  • hugin.nu website and associated web services
  • MCP server implementation
  • WASM sandbox escapes (Synaps module isolation)
  • License system bypass or forgery
  • Authentication and session handling
  • Data leakage or unauthorized access to stored flows/findings

Out of Scope

The following are out of scope and will not be accepted:

  • Social engineering attacks against Hugin users or staff
  • Denial of service attacks (volumetric or application-level)
  • Vulnerabilities in third-party dependencies — please report these upstream to the respective maintainers
  • Theoretical attacks without a working proof of concept
  • Issues that require physical access to the victim's machine
  • Self-XSS or issues that only affect the attacker themselves
  • Missing security headers that do not lead to demonstrable impact

What to Include in Your Report

A good vulnerability report should contain:

  • Description: A clear explanation of the vulnerability and the affected component.
  • Reproduction steps: Detailed, step-by-step instructions to reproduce the issue.
  • Impact assessment: What can an attacker achieve? What data or functionality is at risk?
  • Proof of concept: Code, screenshots, or a video demonstrating the vulnerability.
  • Contact info (optional): An email address or handle so we can follow up. Anonymous reports are accepted.

Response Timeline

  • Acknowledgment: Within 48 hours of receiving your report.
  • Status update: Within 7 days with an initial assessment and severity classification.
  • Fix target: Within 30 days for critical and high severity issues. Medium and low severity issues will be addressed in the next scheduled release.
  • Disclosure coordination: We will work with you on a mutually agreeable public disclosure timeline once a fix is available.

Hall of Fame

Responsible reporters will be credited (if desired) in our release notes and on this page. If you would like to be credited, please include your preferred name or handle in your report.

Alternative Contact

If you prefer not to use the form below, you can email us directly at security@hugin.nu. For sensitive reports, encrypt your message using our PGP public key.

Submit a Report

So we can follow up. Leave blank for anonymous submission.

Include reproduction steps, affected version, and any proof of concept. Max 5000 characters.