Footage ManagerFootage Manager

Security Policy and Responsible Disclosure

How to report security concerns for Footage Manager and what security practices are currently described.

生效日期
2026年7月11日
最后更新
2026年7月11日

本政策目前尚无中文译文,因此显示英文版。韩国用户适用韩文版;您所在地的强制性法定权利不受影响。

1. Scope

This policy covers the Footage Manager website, account pages, license validation service, download/update delivery, and macOS app behavior that connects to Footage Manager services.

It does not create a bug bounty program, service-level commitment, certification claim, or guarantee of compensation.

2. Security practices we currently describe

  • Account requests may be verified through Firebase authentication tokens.
  • Payment card handling is performed through Lemon Squeezy checkout and related payment infrastructure rather than by storing full card numbers in Footage Manager systems.
  • License, billing, and service secrets are intended to be handled on the server side.
  • Rate limiting, failure records, logs, and operational checks may be used to reduce abuse and investigate incidents.
  • Access to operational data should be limited to people who need it for service operation, support, billing, security, or compliance.

3. Reporting a vulnerability

Send security reports to support@footagemanager.com with a clear subject such as "Security report: Footage Manager".

Please include enough detail for us to reproduce and evaluate the issue without causing harm.

  • Affected URL, endpoint, app version, account area, or download/update path
  • Steps to reproduce, expected result, and actual result
  • Potential impact and whether any data may have been exposed
  • Screenshots, request IDs, timestamps, or short proof-of-concept details where appropriate
  • A safe way to contact you for follow-up

4. Responsible research rules

  • Do not access, modify, delete, copy, or disclose data that does not belong to you.
  • Do not run denial-of-service tests, spam, credential stuffing, brute force attacks, social engineering, or physical attacks.
  • Do not attempt payment fraud, subscription bypass at scale, or disruption of Lemon Squeezy, Firebase, AWS, Google, or other provider services.
  • Stop testing and report promptly if you encounter personal data, secrets, private files, or service instability.
  • Do not publicly disclose details until we have had a reasonable opportunity to review and address the report.

5. Usually out of scope

  • Automated scanner output without a demonstrated impact
  • Missing security headers or cookie flags without a realistic exploit path
  • Issues requiring a compromised device, compromised email account, rooted operating system, or malware already running locally
  • Clickjacking or logout CSRF on pages without sensitive state-changing actions
  • Provider-wide outages or weaknesses that must be reported directly to the provider

6. After a report

We will review reports as operationally available. We may ask for clarification, validate impact, decline issues that are not actionable, or coordinate a fix where appropriate.

We do not promise a specific response time, public credit, reward, or compensation. If public credit is appropriate, we will coordinate wording with the reporter first.

相关政策