Skip to content
Back to Conduct

Security & Vulnerability Disclosure

Version 2026-05-14 · Effective May 14, 2026

1. Reporting a vulnerability

If you believe you have found a security vulnerability in Conduct Studio — the web app at conductstudio.com, the Conduct desktop app, or any of our backend services — please report it to us privately so we can fix it before it is exploited.

Send reports to **security@conductstudio.com**. We will acknowledge receipt within 72 hours and provide a status update within 7 days. We treat every good-faith report seriously, regardless of severity.

When reporting, please include enough detail for us to reproduce the issue: affected URL or feature, browser/OS, a step-by-step proof of concept, and any relevant logs or screenshots. If the report contains sensitive details (PII, secrets), let us know so we can arrange an encrypted channel.

2. What's in scope

The following systems are in scope for reports:

  • The Conduct Studio web application served from conductstudio.com.
  • The Conduct desktop application (Electron) distributed for macOS, Windows, and Linux.
  • Backend APIs served from conductstudio.com (including /api/* routes).
  • Authentication flows (magic links, password fallback, session management).
  • Billing and subscription handling (Stripe integration).
  • Real-time collaboration and chat (Supabase Realtime).
  • File storage and signed-URL access (Supabase Storage).

3. What's out of scope

The following are explicitly out of scope. Reports on these will be acknowledged but not actioned by us:

  • Third-party services we depend on (Supabase, Vercel, Stripe, Brevo, Cloudflare R2, Sentry). Please report directly to the vendor; we will coordinate where appropriate.
  • Denial-of-service attacks, rate-limit bypasses where the rate limit is the only defence, or any technique that involves degrading service for other users.
  • Social engineering of Conduct staff, customers, or partners — including phishing, vishing, and pretexting.
  • Physical attacks against our staff or infrastructure.
  • Vulnerabilities in software versions older than the current production release.
  • Reports generated solely by automated scanners without a working proof of concept.
  • Missing security headers, cookie flags, or TLS configuration details that do not lead to a concrete exploit.
  • Self-XSS, clickjacking on pages without sensitive actions, and other low-impact issues that require unrealistic user interaction.

4. Safe harbour

If you make a good-faith effort to comply with this policy during your security research, we will:

  • Consider your research authorised and not pursue legal action against you under applicable computer-misuse laws (including the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, and Spain's Ley Orgánica 10/1995).
  • Work with you to understand and resolve the issue promptly.
  • Not file a complaint with law enforcement or pursue civil action for your research.
  • Recognise your contribution publicly (with your permission) once the issue is fixed.

5. Rules of engagement

To stay within safe-harbour, please:

  • Test only against accounts you own. Do not access, modify, or exfiltrate data belonging to other users.
  • Stop testing and report immediately if you encounter any user data, payment information, or other sensitive material.
  • Do not run automated scanners that generate substantial traffic against production. If you need to test at scale, request prior authorisation.
  • Give us reasonable time to remediate before any public disclosure — at minimum 90 days from initial report, or shorter if we mutually agree.
  • Do not extort, threaten, or otherwise act in bad faith. Reports made conditional on payment are not subject to safe-harbour.

6. Rewards

Conduct Studio is operated as a sole trader and currently does not run a paid bug bounty programme. We offer public recognition (with your permission) for valid reports.

A paid programme may be introduced once revenue allows. If we introduce one, prior reporters whose findings would have qualified will be retroactively eligible at our discretion.

7. Contact

Send vulnerability reports to **security@conductstudio.com**.

For non-security legal matters (DMCA, privacy requests, terms questions), use the contact methods listed on the corresponding policy pages.

This policy is published at /legal/security and the machine-readable contact summary at /.well-known/security.txt — both are kept in sync.