Extremely Heavy takes the security of its code and clients very seriously, and we welcome any and all reports of possible vulnerabilities or security-related issues with both Hoist code and its declared dependencies.

To report any issues, or if you have any questions, please contact us immediately at support@xh.io. We will respond to all genuine, security-related reports or questions within one US business day.

Hoist is a toolkit designed to allow professional developers to build advanced enterprise web applications with the support of XH in the form of direct development, co-development, and/or consulting services. As such, many decisions critical to the security of Hoist-powered applications are highly specific to implementation choices made during the design and development process, including but not limited to the choice of other project dependencies, creation and interaction with any Hoist or third-party server APIs, input sanitization, authentication protocols, and more.

Hoist is not and does not claim to be fully secure "out of the box" - it is dependent upon application developers to make and implement security decisions appropriate to their particular application and its deployment.