Security
Disclosure Policy
1. Scope
This policy covers VLStudio Desktop (the video editing application) and VLStudio Web at vlstudio.live (analytics, community, marketplace, jobs board, and token economy), operated by Vladyslav Zhminko, trading as VLStudio, Carrer de Valencia 191, 6.1, 08011, Barcelona, Spain. It applies to security vulnerabilities in the software, the web application, and the backend services we operate. It does not cover third-party services we integrate with (for example, Stripe, Supabase, Google, or the social platforms our analytics dashboard connects to); if you find a vulnerability in one of those, please report it directly to that provider.
2. How to Report
Send a report to [[CONTACT_EMAIL_SECURITY]] (interim address while our own domain mailboxes are being set up: vlstudiopartners@hotmail.com). Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce it, including any proof-of-concept code, request, or screenshot needed to confirm it
- The product, version, or URL affected
- Whether you have already disclosed it, or intend to disclose it, anywhere else
If you prefer, you can also open an issue at our GitHub tracker, github.com/vlad044-z/website_vls/issues, though for sensitive vulnerabilities we recommend the email address above rather than a public issue, so the report is not visible before a fix ships.
3. What We Ask of Researchers
- Give us a reasonable opportunity to investigate and remediate an issue before making it public. See Section 5 for our suggested timeline.
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption. Only interact with accounts, data, and systems you own or have explicit permission to test.
- Do not access, modify, or exfiltrate other users' data beyond what is strictly necessary to demonstrate the vulnerability.
- Do not run automated scanning tools that could degrade the service for other users.
- Do not attempt social engineering, phishing, or physical-access attacks against our team, contractors, or users.
4. Our Commitment to You
If you report a vulnerability in line with this policy, we commit to:
- Acknowledge your report within 5 business days of receiving it.
- Work with you to understand and confirm the issue, and keep you reasonably informed of our progress toward a fix.
- Credit you, if you would like to be credited, once the issue is resolved and disclosed.
- Not pursue legal action against you for the good-faith security research covered by this policy, provided you follow the guidelines in Section 3. See Section 6 for the full safe-harbor statement.
5. A Small, Actively-Developed Product
VLStudio is a small, actively-developed product. We do not have a large dedicated security team, so a fix may take longer than it would at a larger company, especially for issues that touch core infrastructure shared across both VLStudio Desktop and VLStudio Web. In exchange, we ask researchers to give us a reasonable amount of time to remediate an issue before public disclosure.
6. Safe Harbor
We consider security research conducted in line with this policy to be authorized, and we will not initiate legal action against a researcher for that research. This applies to activity that:
- Is conducted in good faith and solely for the purpose of identifying and reporting a vulnerability to us
- Follows the guidelines in Section 3
- Does not involve the sale, extortion, or public disclosure of vulnerability details before the timeline in Section 5 has run, or before we have confirmed a fix, whichever comes first
This safe harbor does not extend to activity that falls outside the scope in Section 1, that violates the guidelines in Section 3, or that targets systems or data belonging to our sub-processors or other third parties rather than VLStudio itself.
7. Contact
- Security disclosures: [[CONTACT_EMAIL_SECURITY]] (interim: vlstudiopartners@hotmail.com)
- Postal: Vladyslav Zhminko, Carrer de Valencia 191, 6.1, 08011, Barcelona, Spain
- GitHub issues (non-sensitive reports only): github.com/vlad044-z/website_vls/issues
VLSTUDIO
← Back to site