Please report (suspected) security vulnerabilities to bjorn.erik.pedersen@gmail.com. You will receive a response from us within 48 hours. If we can confirm the issue, we will release a patch as soon as possible depending on the complexity of the issue but historically within days.

Also see Hugo's Security Model.