Security fixes target the latest release on main and the most recent published container image tag.

For details on how Houndarr handles credentials, encryption, and network behavior, see Security Overview.

• No telemetry, analytics, or phone-home endpoints. The only outbound connections Houndarr initiates are to the *arr URLs you configure.
• Source is fully open. Every release tag on GitHub maps to a container image published on GHCR; no binary-only distribution channel.
• Code reviewed through the standard PR + required-check flow. No direct pushes to main; no unreviewed diffs in release branches.
• API keys for every configured *arr are Fernet-encrypted at rest (AES-128-CBC + HMAC-SHA256) and never exposed to the browser.
• Session cookies are signed with a per-install secret that rotates on password change.

• Conservative out-of-the-box cadence: small batch per cycle, long sleep interval, tight per-pass hourly caps. Configured caps are the ceiling, not the floor.
• Respects each *arr's configured queue_limit as a backpressure gate; cycles skip when the download queue is at or above the limit.
• Respects per-item cooldowns (missing / cutoff / upgrade use distinct cooldown days) so the same item never gets re-hammered.
• Honors post_release_grace_hrs so freshly-released items aren't searched the moment their timestamp crosses zero.
• Optional per-instance allowed_time_window gates scheduled cycles to one or more hour ranges.
• Skip-log throttle (in-memory, 24-hour per-key LRU) suppresses duplicate cooldown-reason rows so the audit trail stays scannable on installs with hundreds of items sharing one cooldown.

• Outbound: only to the *arr instance URLs you configure. No third-party service is contacted at runtime.
• Inbound: a single HTTP server on the port you configure (8877 by default). No additional listeners, metrics endpoints, or debug ports.
• SSRF guard on the *arr URL field blocks loopback / link-local / unspecified targets at configuration time.
• Container runs as non-root after PUID / PGID remapping.

In scope. Triggering missing / cutoff-unmet / upgrade searches against configured *arr instances, rate-limited per-instance, with a web UI for status and audit.

Out of scope (deliberate). Download-client management, indexer management, request workflows, multi-user support, media file manipulation, built-in Usenet or torrent clients, Prowlarr integration, Plex OAuth, or anything that expands Houndarr beyond its single-purpose search-companion role.

Please do not open public GitHub issues for suspected vulnerabilities.

Instead, report privately using GitHub's security reporting flow:

• https://github.com/av1155/houndarr/security/advisories/new

Include as much detail as possible:

• affected version/tag or commit
• environment (Docker version, host OS)
• steps to reproduce
• impact assessment
• proof-of-concept (if available)

• Initial acknowledgement target: within 72 hours
• Triage and severity assessment: as soon as reasonably possible
• Fix timeline depends on severity and exploitability

When a fix is available, a release note/changelog entry will document the resolution.