// security
Security &
disclosure.
Found a vulnerability in Hugin or hugin.nu? Report it and we'll work with you on a fix.
Responsible disclosure policy
If you discover a security vulnerability in Hugin or hugin.nu, we ask that you report it responsibly. Please don't publicly disclose the issue until we've had a reasonable opportunity to investigate and release a fix.
Scope
The following are in scope:
- Hugin desktop application (all platforms)
- hugin.nu website and associated web services
- MCP server implementation
- WASM sandbox escapes (Synaps module isolation)
- License system bypass or forgery
- Authentication and session handling
- Data leakage or unauthorized access to stored flows/findings
Out of scope
- Social engineering attacks
- Denial of service attacks
- Vulnerabilities in third-party dependencies — report upstream
- Theoretical attacks without a working PoC
- Self-XSS or issues that only affect the attacker
- Missing security headers without demonstrable impact
What to include
- Description: Clear explanation of the vulnerability.
- Reproduction: Step-by-step instructions.
- Impact: What can an attacker achieve?
- PoC: Code, screenshots, or video.
- Contact (optional): Email or handle. Anonymous accepted.
Response timeline
- Acknowledgment: Within 48 hours.
- Status update: Within 7 days with severity classification.
- Fix target: Within 30 days for critical/high.
Alternative contact
Email security@hugin.nu. For sensitive reports, encrypt using our PGP public key.
// Report