If you believe you have found a security issue in hosn.om, in any Hosn appliance, or in any Hosn-supplied software, we want to hear from you, and we will work with you in good faith.

How to report

Email security@hosn.om. Please include:

• A short description of the issue and its impact
• Reproduction steps, or a proof-of-concept (text, screenshot, or short video)
• The URL, request, or appliance build affected
• Whether you would like public credit, and under what name

For sensitive reports, you may use PGP. Request the key from the same address. If we do not respond within three business days, please nudge us at info@hosn.om.

What we promise

• We will acknowledge receipt within three business days.
• We will investigate, validate, and tell you what we found and what we are doing about it.
• If you ask for credit, we will publish it once a fix ships, or earlier if you prefer.
• We will not pursue legal action against good-faith researchers who follow this policy.

Scope

In scope:

• The hosn.om website, including all subdomains under our control
• The contact-form endpoint at /api/contact
• Any Hosn appliance build a customer has consented to share with you for testing

Out of scope:

• Cloudflare or upstream infrastructure we do not control
• Vulnerabilities requiring physical access to a customer-owned appliance, beyond the scope of an authorised test
• Issues in upstream open-weight models or third-party libraries that are already publicly disclosed
• Best-practice findings (missing security headers, low-severity TLS configuration) without a demonstrable exploit

Machine-readable record

The canonical RFC 9116 file lives at /.well-known/security.txt. It is what automated scanners and bug-bounty platforms read.

Acknowledgements

We will list researchers who have responsibly reported confirmed issues here, with their permission.

• (none yet, be the first)

Other ways to reach us

For privacy questions: privacy policy. For commercial questions: sales@hosn.om.