Security

Report a vulnerability

Email security@hush.ltd with enough detail that we can reproduce the issue: affected URL or endpoint, steps, and (if relevant) a minimal proof of concept. Please use security@hush.ltd for security-sensitive mail, and hello@hush.ltd for general privacy or data questions.

We ask that you give us a reasonable window to fix critical issues before publishing technical details, and that you avoid accessing or exfiltrating other people's private data beyond what is necessary to demonstrate the flaw. Do not perform destructive tests (deletion, ransomware-style payloads, or sustained denial-of-service) against production.

We do not run a paid bug bounty programme today. We will credit researchers by name in release notes or this page if they want that and the report leads to a material fix.

What we already do

• TLS in transit between you and our edge.
• Public APIs reject oversized payloads so abuse cannot trivially blow up request bodies.
• No password vault for end users — the public product is anonymous, which removes an entire class of account-takeover risk.
• Reports and lookups are handled server-side; scoring logic is not exposed as editable client-side secrets.

That does not mean the site is "unhackable". It means we design for a small, high-trust surface and fix issues when they are pointed out.

If you see spam or abuse on Hush

Misuse of the report form (harassment campaigns, obvious false flags) is both a terms issue and a product integrity issue. Write to hello@hush.ltd with links or screenshots and we will investigate.