Storage Studio

← All legal documents

Legal · v1.0.0-draft · effective 2026-05-18

Security Policy

Storage Studio · Techtonic Systems Research and Media LLC

Storage Studio — Security Policy

We take security seriously. This page describes how to report a vulnerability, what's in scope, and what to expect from us.

How to report

Email hi@rajneeshmaurya.com with "Security report" in the subject line. Encrypt sensitive details if you can — our PGP key is below.

Please include:

  • A clear description of the vulnerability.
  • Step-by-step reproduction.
  • The version of Storage Studio you tested (Preferences → About).
  • Your macOS version.
  • The impact you believe is achievable.
  • Whether you have already disclosed this elsewhere, and to whom.

What's in scope

  • The macOS application bundle (Storage Studio.app).
  • The Cloudflare Worker backend at storagestudio.techtonic.systems.
  • The public API endpoints under /api/*.
  • Any other internal endpoint you discover — please report it. We will not penalise good-faith research that follows the rules in What we ask below.

What's out of scope

  • Third-party software bundled with the app (rsync, rclone, Homebrew).
  • Cloudflare, Stripe, Brevo infrastructure — please report directly to them.
  • Social-engineering, physical, or DoS attacks.

What we ask

  • Do not access, modify, or delete data that is not your own.
  • Do not run automated scanners against our infrastructure without prior approval.
  • Give us a reasonable disclosure window (90 days) before publishing.

What you can expect

  • Acknowledgement within 3 business days.
  • A status update within 14 days.
  • A fix or mitigation in the next minor release, or sooner if the impact warrants.
  • Public credit in the release notes if you want it.

We don't currently run a bug-bounty program, but we are happy to offer:

  • A free Lifetime license.
  • Public acknowledgement.
  • A reasonable token of thanks (sticker, t-shirt) for unique reports.

PGP key fingerprint

To be published. Until then, sensitive reports should be sent over encrypted email using the recipient's S/MIME certificate or a one-time link to a self-destructing paste.

Hall of fame

No reports yet. Be the first.