BETA In open beta. Install live. Lock $5/mo for your first 12 months. See pricing →
Security · 2026-05-18

Security policy & official sites.

How to report a vulnerability, the canonical list of official Hydrate hosts, and how to verify an installer came from us.

Reporting a vulnerability

Email security@gethydrate.dev with details. We respond within two working days (Europe/London business hours). For actively exploited issues, credential leaks, or supply-chain compromise, mark the subject URGENT and we will prioritise within the same working day.

Please do not file public GitHub issues for security reports. We will coordinate a fix and disclosure timeline with you directly.

What to include

  • A description of the vulnerability and the affected component.
  • Steps to reproduce.
  • Impact assessment.
  • Your preferred credit line for disclosure (or "anonymous").

We do not currently run a paid bug-bounty programme. We do credit researchers in release notes for valid reports.

Official sites

The only canonical Hydrate website is https://gethydrate.dev. Where the following alternative domains exist, they redirect (HTTP 301) to gethydrate.dev:

  • gethydrate.com
  • gethydrate.io
  • hydrate.app
  • hydrate.ai
  • Typo guards: gehydrate.dev, hyrdate.dev, hydate.dev, hyrate.dev
hydrate.dev is not us. The bare-domain hydrate.dev is registered to a third party and is not owned, operated, or endorsed by Sedasoft Ltd. Anything served from that hostname does not originate from the Hydrate project. (Verified 2026-05-07.)

If you encounter a site claiming to be Hydrate that is not on the list above, please report it to security@gethydrate.dev so we can coordinate takedown.

Verifying installers

The official install path is:

curl -fsSL gethydrate.dev/install | sh

Hosted on the canonical domain, served over HTTPS with a Let's Encrypt certificate. The Homebrew tap is seamuswaldron/hydrate (GitHub: SeamusWaldron/homebrew-hydrate). Release artefacts are signed; the public key is published in the GitHub release notes.

If a third party offers a Hydrate binary that does not originate from one of the channels above, treat it as untrusted.

Supported versions

We support the latest minor release on main and the previous minor release for security patches. Older versions are end-of-life. Please upgrade before reporting issues against them.

Recent security-relevant changes

2026-05-18: magic-link token encoding

The /account customer portal uses passwordless magic-link authentication. We changed the token encoding from raw bytes to hex on 2026-05-18 because the older format could fail verification when the HMAC happened to contain the separator byte (about 12% of tokens, masked as "token invalid or expired"). All outstanding email links issued before that date no longer verify. Affected customers should request a fresh link at /account.

Runaway-recursion guard

Hydrate hooks can spawn assistant subprocesses (Claude CLI, Codex CLI) for fact extraction. To prevent a hook firing inside its own spawned child, every Hydrate spawner sets a HYDRATE_SPAWNED=1 environment variable on the child and every hook checks it before running. The same signal is also carried as an X-Hydrate-Spawned HTTP header so a sanitised environment cannot defeat the guard. The pattern was added after a May 2026 incident and is now load-bearing for every hook binary. Architecture detail in thesis chapter 26.

Activation cap race

The licensing server's machine-cap check is now an atomic conditional INSERT instead of a SELECT followed by an INSERT, closing a race window where two concurrent activations with different machine fingerprints could both pass the cap check.

Out of scope

  • Vulnerabilities in upstream dependencies (file with the upstream project; we will track the fix here).
  • Issues that require an attacker to already have local code execution on the user's machine.
  • Theoretical attacks without a demonstrated impact path.