Footage ManagerFootage Manager

Security Policy and Responsible Disclosure

How to report security concerns for Footage Manager and what security practices are currently described.

Effective date
July 11, 2026
Last updated
July 11, 2026

This is the reference version for users outside Korea; the Korean version applies to users in Korea. Mandatory consumer and privacy laws where you live continue to apply.

1. Scope

This policy covers the Footage Manager website, account pages, license validation service, download/update delivery, and macOS app behavior that connects to Footage Manager services.

It does not create a bug bounty program, service-level commitment, certification claim, or guarantee of compensation.

2. Security practices we currently describe

  • Account requests may be verified through Firebase authentication tokens.
  • Payment card handling is performed through Lemon Squeezy checkout and related payment infrastructure rather than by storing full card numbers in Footage Manager systems.
  • License, billing, and service secrets are intended to be handled on the server side.
  • Rate limiting, failure records, logs, and operational checks may be used to reduce abuse and investigate incidents.
  • Access to operational data should be limited to people who need it for service operation, support, billing, security, or compliance.

3. Reporting a vulnerability

Send security reports to support@footagemanager.com with a clear subject such as "Security report: Footage Manager".

Please include enough detail for us to reproduce and evaluate the issue without causing harm.

  • Affected URL, endpoint, app version, account area, or download/update path
  • Steps to reproduce, expected result, and actual result
  • Potential impact and whether any data may have been exposed
  • Screenshots, request IDs, timestamps, or short proof-of-concept details where appropriate
  • A safe way to contact you for follow-up

4. Responsible research rules

  • Do not access, modify, delete, copy, or disclose data that does not belong to you.
  • Do not run denial-of-service tests, spam, credential stuffing, brute force attacks, social engineering, or physical attacks.
  • Do not attempt payment fraud, subscription bypass at scale, or disruption of Lemon Squeezy, Firebase, AWS, Google, or other provider services.
  • Stop testing and report promptly if you encounter personal data, secrets, private files, or service instability.
  • Do not publicly disclose details until we have had a reasonable opportunity to review and address the report.

5. Usually out of scope

  • Automated scanner output without a demonstrated impact
  • Missing security headers or cookie flags without a realistic exploit path
  • Issues requiring a compromised device, compromised email account, rooted operating system, or malware already running locally
  • Clickjacking or logout CSRF on pages without sensitive state-changing actions
  • Provider-wide outages or weaknesses that must be reported directly to the provider

6. After a report

We will review reports as operationally available. We may ask for clarification, validate impact, decline issues that are not actionable, or coordinate a fix where appropriate.

We do not promise a specific response time, public credit, reward, or compensation. If public credit is appropriate, we will coordinate wording with the reporter first.

Related policies