Glasshaus handles sensitive personal identifiers and API credentials, so we take security seriously and appreciate responsible disclosure.
Status: Glasshaus is pre-alpha and not yet intended for production use. We still want to hear about security issues in the design or any code as it lands.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Report privately through either channel:
- Preferred: GitHub's private vulnerability reporting — open the repository's Security tab and click "Report a vulnerability". This keeps the report confidential and tracked.
- Email fallback: henkas@henkas.eu with a subject line beginning
[Glasshaus Security].
Please include:
- A description of the issue and its potential impact.
- Steps to reproduce, or a proof of concept.
- Affected version/commit and environment, if known.
- Any suggested remediation.
- Acknowledgement: we aim to respond within 5 business days.
- Updates: we'll keep you informed as we investigate and fix.
- Credit: with your permission, we're happy to credit you once a fix is released.
- Please give us reasonable time to address the issue before any public disclosure.
Security issues we especially care about, given what this tool does:
- Leakage of operator-supplied API keys / credentials (e.g. keys appearing in findings, logs, exports, or the database).
- Exposure of scan data to unauthorized parties.
- Injection or SSRF via connector inputs or selector handling.
- Authentication/authorization flaws in the web interface.
- Dependency vulnerabilities in the connector supply chain.
- The inherent fact that Glasshaus performs active OSINT queries — that is the tool's purpose. See
DISCLAIMER.mdfor intended-use boundaries. - Findings about third-party services that Glasshaus merely reports (report those to the service in question).
- Issues requiring a compromised host or operator-level access you already control in a self-hosted deployment.