1. Scope
This policy covers the Footage Manager website, account pages, license validation service, download/update delivery, and macOS app behavior that connects to Footage Manager services.
It does not create a bug bounty program, service-level commitment, certification claim, or guarantee of compensation.
2. Security practices we currently describe
- Account requests may be verified through Firebase authentication tokens.
- Payment card handling is performed through Lemon Squeezy checkout and related payment infrastructure rather than by storing full card numbers in Footage Manager systems.
- License, billing, and service secrets are intended to be handled on the server side.
- Rate limiting, failure records, logs, and operational checks may be used to reduce abuse and investigate incidents.
- Access to operational data should be limited to people who need it for service operation, support, billing, security, or compliance.
3. Reporting a vulnerability
Send security reports to support@footagemanager.com with a clear subject such as "Security report: Footage Manager".
Please include enough detail for us to reproduce and evaluate the issue without causing harm.
- Affected URL, endpoint, app version, account area, or download/update path
- Steps to reproduce, expected result, and actual result
- Potential impact and whether any data may have been exposed
- Screenshots, request IDs, timestamps, or short proof-of-concept details where appropriate
- A safe way to contact you for follow-up
4. Responsible research rules
- Do not access, modify, delete, copy, or disclose data that does not belong to you.
- Do not run denial-of-service tests, spam, credential stuffing, brute force attacks, social engineering, or physical attacks.
- Do not attempt payment fraud, subscription bypass at scale, or disruption of Lemon Squeezy, Firebase, AWS, Google, or other provider services.
- Stop testing and report promptly if you encounter personal data, secrets, private files, or service instability.
- Do not publicly disclose details until we have had a reasonable opportunity to review and address the report.
5. Usually out of scope
- Automated scanner output without a demonstrated impact
- Missing security headers or cookie flags without a realistic exploit path
- Issues requiring a compromised device, compromised email account, rooted operating system, or malware already running locally
- Clickjacking or logout CSRF on pages without sensitive state-changing actions
- Provider-wide outages or weaknesses that must be reported directly to the provider
6. After a report
We will review reports as operationally available. We may ask for clarification, validate impact, decline issues that are not actionable, or coordinate a fix where appropriate.
We do not promise a specific response time, public credit, reward, or compensation. If public credit is appropriate, we will coordinate wording with the reporter first.