Stay Informed

Please consider using the "Follow" button to the right to be kept informed any time a new security disclosure is posted here.

Disclosure Policy

We are committed to providing responsible disclosure on security and privacy-related incidents.

As such, we expect that security or privacy-related incidents are reported directly to us by opening a support ticket and in return, we will verify the incident and report the problem as fast as possible. This means that we will report the issue (and possible fixes) directly to affected customers so that they have time to mitigate the issue before we report the issue publicly. For privacy-related incidents that affect users on our hosted services, we will report the incident directly to the users and to relevant authorities.

As a consequence of the above policy, it may take several days before we make a public disclosure about a problem.

We do provide bug bounties for serious security issues. Also, please let us know if you would like to be mentioned by name as the originator of an incident report.

List of Security Disclosures

  • 1.8.9 / 1.9.2 Security Release (2020-03-25)

    Status: Fixed in Humio 1.8.9 and 1.9.2 Classification: Critical As part of a proactive security audit, we discovered and corrected a vulnerability introduced by an external library. We recommend ...
    Read more

  • 1.8.8 / 1.9.1 Security Release (2020-03-24)

    Status: Fixed in Humio 1.8.8 and 1.9.1 Classification: Critical As part of a proactive security audit, we discovered and corrected a vulnerability. We recommend all self-hosted installations of H...
    Read more

  • 1.6.7 Security Release (2019-11-04)

    Status: Fixed in 1.6.7 Introduced in: 1.6.2 We were made aware that it was possible for an authenticated user to list all users in a Humio cluster using the GraphQL API. This also applies to cust...
    Read more

  • 1.5.6 Security Release (2019-04-04)

    Status: Fixed in 1.5.6 We were made aware of a vulnerability in our LDAP integration, for on-premises customers using AUTHENTICATION_METHOD=ldap with an LDAP service allowing anonymous bind; it i...
    Read more

  • 1.5.2 Security Release (2019-03-25)

    Status: Fixed in 1.5.2 We were made aware of a vulnerability in the authentication for the audit-log repo allowing users to access data for other users when querying using the /query API. This is...
    Read more

  • Demo Site Vulnerability (2018-12-20)

    Status: Fixed 2018-12-20 We received a notification that our demo-site demo.humio.com exposed the email addresses of other users on the website. This was available in the ‘settings’ -> ‘members’ ...
    Read more

  • Jenkins Vulnerability (2017-05-14)

    Sunday night at 22:53 UTC our build server was compromised. An attacker used the CVE-2017-1000353 vulnerability in Jenkins to run a monero (crypto coin) miner. With the help of the security team at...
    Read more