Please report (suspected) security vulnerabilities to [email protected]. You will receive a response from us within 48 hours. If we can confirm the issue, we will release a patch as soon as possible depending on the complexity of the issue but historically within days.

Also see Hugo's Security Model.