VLSTUDIO ← Back to site
// Legal

Security
Disclosure Policy

Last updated: July 1, 2026  ·  Effective: July 1, 2026
// TL;DR: found a security issue in VLStudio Desktop or VLStudio Web? Tell us at the contact below. We will acknowledge your report, work with you on a fix, and will not pursue legal action against good-faith research that follows this policy.

Contents

1. Scope

2. How to Report

3. What We Ask of Researchers

4. Our Commitment to You

5. A Small, Actively-Developed Product

6. Safe Harbor

7. Contact

1. Scope

This policy covers VLStudio Desktop (the video editing application) and VLStudio Web at vlstudio.live (analytics, community, marketplace, jobs board, and token economy), operated by Vladyslav Zhminko, trading as VLStudio, Carrer de Valencia 191, 6.1, 08011, Barcelona, Spain. It applies to security vulnerabilities in the software, the web application, and the backend services we operate. It does not cover third-party services we integrate with (for example, Stripe, Supabase, Google, or the social platforms our analytics dashboard connects to); if you find a vulnerability in one of those, please report it directly to that provider.

2. How to Report

Send a report to [[CONTACT_EMAIL_SECURITY]] (interim address while our own domain mailboxes are being set up: vlstudiopartners@hotmail.com). Please include:

If you prefer, you can also open an issue at our GitHub tracker, github.com/vlad044-z/website_vls/issues, though for sensitive vulnerabilities we recommend the email address above rather than a public issue, so the report is not visible before a fix ships.

3. What We Ask of Researchers

4. Our Commitment to You

If you report a vulnerability in line with this policy, we commit to:

5. A Small, Actively-Developed Product

VLStudio is a small, actively-developed product. We do not have a large dedicated security team, so a fix may take longer than it would at a larger company, especially for issues that touch core infrastructure shared across both VLStudio Desktop and VLStudio Web. In exchange, we ask researchers to give us a reasonable amount of time to remediate an issue before public disclosure.

We suggest 90 days from your initial report as a reasonable default, in line with common industry practice, before any public disclosure of a reported vulnerability. If a fix is ready sooner, we will tell you, and you are welcome to disclose once it has shipped. If more time is actually needed for a complex fix, we will tell you that too, and explain why.

6. Safe Harbor

We consider security research conducted in line with this policy to be authorized, and we will not initiate legal action against a researcher for that research. This applies to activity that:

This safe harbor does not extend to activity that falls outside the scope in Section 1, that violates the guidelines in Section 3, or that targets systems or data belonging to our sub-processors or other third parties rather than VLStudio itself.

7. Contact