Security

Audit, verification, disclosure.

Husk is a privacy tool, which means it has to be worth the trust it asks for. This page collects the work we did before shipping, how you can verify the binary yourself, and what to do if you find a hole.

Pre-launch audit

What we looked at before v0.1.

Before the first public binary went out, every trust-critical surface in Husk was reviewed against a structured threat model. The audit covered four tiers — crypto, IPC, privacy, UX — and produced a punch list. The fixes shipped in v0.1.0.

2
Critical

Both fixed before ship. A panic-wipe path was reachable from any visited site (removed); the encrypted-profile lock used plain remove_dir_all which left recoverable cleartext blocks on NTFS / FAT32 (now overwrites with zeros, then unlinks).

10
High

Vault blobs padded to a fixed 256 KiB so real / duress size delta isn't readable off disk; content tabs can't close / reload / boss-key each other; DoH strict mode with persistent UI indicator; history and bookmarks strip sensitive query parameters before persisting; husk-dns.log redacts hostnames and rotates.

25+
Defense in depth

URL allow-list (vs block-list), search-template validation, Notes image MIME whitelist (drops SVG), EncryptedBody kind discriminator, Zeroizing strings on lock / wipe, paranoia activity restricted to user events, HWND validation, handle-leak fixes, log rotation, and more.

The full internal audit document stays private (it names specific reachable code paths), but the public summary of cryptographic surface is in the husk-crypto README. The cryptographic code itself — profile_manager, vault, notes, crypto — is published in full for independent audit.

Verify

Check the binary before you run it.

The SHA-256 hashes for the current release live on the Download page and on the GitHub Release. After downloading the zip, open PowerShell in the file's folder and run: 

Get-FileHash .\Husk-Portable-0.1.0.zip -Algorithm SHA256

Compare the output to the SHA-256 listed next to the download. If they don't match, do not run the file — see Disclosure below to report it.

Full install & verify guide: /docs/install.

Boundaries

What Husk does NOT defend.

A privacy browser can shrink the leakage surface; it can't promise zero leakage. The threat-model boundaries below also appear on the Privacy page, repeated here because anyone reading the audit summary should see them in the same breath.

  • Memory snapshots while unlocked. Secrets are zeroed on lock / wipe, but a process memory dump taken while a vault is open recovers cleartext. Lock when you step away.
  • SSD physical recovery. Secure wipe overwrites the logical blocks Husk owns; SSD controllers can hold older physical copies for hours or days. Combine Husk with full-disk encryption (BitLocker / VeraCrypt) against forensic recovery.
  • SNI leakage. DoH hides DNS, but the TLS ClientHello still carries the hostname. ECH ships when WebView2 exposes it.
  • The rendering engine is Chromium. Via WebView2. Husk doesn't ship Edge telemetry, sync or account integration — but the engine itself is what's available for embedding on Windows today. The day a non-Chromium engine is embedding-ready, we switch.
  • Coercion. The duress slot in the vault is a tool, not a guarantee — see /docs/vault for limits.
Disclosure

Found something? Tell us.

Email security@husk.run. Please:

  • Include enough detail to reproduce — version, OS, steps, expected vs observed.
  • Hold off on public disclosure for at least 30 days from our acknowledgement so a fix can ship.
  • If a CVE applies, we'll request one. Credit goes in the changelog unless you ask us not to.

Husk is small, the team is one developer, and the response won't be a corporate SLA — but every report is read.