apache/hop follows the Apache Software Foundation security process. Please report suspected vulnerabilities privately to security@apache.org; do not open public GitHub issues or pull requests for security reports.

What the project treats as in scope and out of scope, the security properties it provides and disclaims, the adversary model, and how findings are triaged are documented in THREAT_MODEL.md.

Hop runs operator-authored pipelines and workflows with full host capability; it is not a sandbox. Operators exposing Hop on a network should, at minimum:

• Change the default Hop Server credential. The shipped credential is the well-known default cluster/cluster. Do not expose the Hop Server (or the separate rest/ REST API, which has no built-in authentication) to an untrusted network without changed credentials and a fronting auth layer.
• Enable TLS for the Hop Server and sensitive backends (off by default), and set javax.net.ssl.keyStore so outbound TLS verification is not relaxed.
• Protect credentials at rest with the AES2 password encoder (HOP_PASSWORD_ENCODER_PLUGIN=AES2 + HOP_AES_ENCODER_KEY) or a secrets resolver (Vault / Azure Key Vault / Google Secret Manager); the default metadata password protection is reversible obfuscation, not encryption.
• Only run pipelines/workflows from trusted authors, and parameterize any variable that may carry untrusted data.

See THREAT_MODEL.md §10 for the full list.