Security Program Overview

Security is our highest priority at Hund. We are committed to building a culture of security and implementing robust controls to protect our infrastructure and your data from potential threats. This page provides an overview of our comprehensive security program.

Infrastructure & Network Security

Our services are hosted in secure, SOC 2-audited data centers provided by leading cloud providers. We employ a multi-layered security approach with strict network segregation, firewalls, and intrusion detection systems.

Application Security

We follow a Secure Software Development Lifecycle (SDLC), incorporating security at every stage. This includes static code analysis, dependency scanning, and adherence to OWASP Top 10 secure coding standards.

Data Security & Encryption

All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. We practice data minimization and enforce strict access controls based on the Principle of Least Privilege.

Vulnerability Management

We conduct regular vulnerability scans of our infrastructure and applications. Findings are tracked, prioritized based on risk, and remediated within defined SLAs.

Incident Response

Learn about our process for detecting, containing, and responding to security incidents in a timely and transparent manner.

Get the Full Security Overview

For a comprehensive review of our Information Security Program, including how our controls map to industry frameworks like SOC 2, please request a copy of our Security & Compliance Whitepaper. The whitepaper is available to customers and prospects under an NDA. Contact us to request a copy.

Regular Security Assessments

To ensure a comprehensive assessment of our resilience, our platform undergoes penetration testing on at least an annual basis. These tests are conducted by certified personnel in accordance with recognized industry standards and methodologies to simulate real-world attacks and identify potential vulnerabilities in our systems.

A summary of our most recent penetration test report can be provided to customers upon request and under a non-disclosure agreement (NDA). Please contact security@hund.io for more information.

Responsible Disclosure Program

We value the security community and believe that responsible disclosure is a key part of maintaining a secure platform. We encourage security professionals to test our systems and report any potential vulnerabilities they may discover.

Reporting a Vulnerability

Reports can be sent to security@hund.io. To protect sensitive information, please use our public GPG key to encrypt your message. Include your own public key so we can ensure our correspondence is also secure.

  • GPG Fingerprint: 2D90 5CC8 D092 9AC9 A166 D297 4296 192B E7E6 F3D2

Program Scope

We are most interested in the following categories of vulnerabilities:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection (SQLi) and other database manipulation
  • Server-Side Remote Code Execution (RCE)
  • Authentication or Authorization Flaws (including access control issues)
  • Directory Traversal and Local/Remote File Inclusion

Out of Scope

To help our team focus on actionable reports, the following are considered out of scope:

  • Theoretical reports without a demonstrated exploit
  • Reports from automated scanners without manual validation
  • Missing security headers or "best practice" configurations without a demonstrated vulnerability
  • Self-XSS, Denial of Service (DoS/DDoS) attacks, or social engineering
  • Vulnerabilities in third-party services we use

Program Rules

Please adhere to the following rules during your research:

  • Do not attempt to access, modify, or delete another user's data.
  • Do not perform any action that could harm the availability or integrity of our services.
  • Do not publicly disclose any vulnerability before we have had a reasonable time to investigate and remediate it.

Acknowledgements & Rewards

We are committed to recognizing the contributions of security researchers. Depending on the severity and quality of the report, we may offer acknowledgement in our Hall of Fame, swag, or a monetary bounty. All rewards are at our sole discretion.

Security Hall of Fame

Hund would like to thank the following security researchers who have helped keep us secure by participating in our responsible disclosure program: