ProtoStudio

Security Center

At Proto Studio we have a culture of keeping your data safe.

Not only do we practice a security mindset within our own team but we also provide our customers with tools to make beings secure and safe easier. We're not satisfied with just our own customers being safe but we want to extend that to ever person whose data is on the Proto Studio platform and even the Internet as a whole.

Our Security and Privacy Values

When it comes to security and privacy there are four foundational values that are engrained in everything we do. We follow these values when building software, in marketing and sales, and customer service. And we try to make it as easy as possible for Proto Studio users to live these values as well.

The four values are:

Knowledge

Always be learning and make sure your team and your peers are trained on how to deal with security and private data.

Vigilance

Look at everything through a lense of security and privacy. Take every threat seriously.

Responsibility

Encourage responsible disclosure and shared contributions to security and privacy.

Empathy

Understand the user and how they would want their data to be treated.

Responsible Disclosure Policy

Last updated:

We take a layered and transparent approach to security at all levels from human to data. Our process includes training, monitoring, change control, encryption, and a Bug Bounty / Responsible Disclosure program to encourage community members to be active in security.

You can find the details of our Bug Bounty program on this page and can also find more information in our security.txt file.

Reporting a Security Issue

Overview

Welcome to the Proto Studio Bug Bounty program.

Thank you for your decision to responsibly disclose a security issue. At ProtoStudio we take the security of our software and our community very seriously and have put together a process to make sure that you are rewarded for your work.

What’s in Scope

Any actively exploitable security issues not listed in the exclusions list that affects any of the following:

  • Proto.Studio and its subdomains.
  • ProtoAuth.com and its subdomains.
  • Proto.zip and all its subdomains.
  • Open Source projects hosted under https://github.com/proto-studio.

Program Exclusions

  • Any issue that has previously reported in the last 15 days.
  • Any issue that has already been patched at the time of the report.
  • Denial of Service.
  • Exploits that require social engineering.
  • 0-day vulnerabilities where a patch has been available for less than 15 days.
  • Vulnerabilities to user created APIs due to implementation decision made by the user (including those created by AI on behalf of the user) and not through any Proto Studio platform or Proto Studio/ProtoAuth open source library library issue.
  • Issues that do not adhere to our Responsible Disclosure policy.
  • Issues that require physical access to the target machine.
  • Missing HTTP headers that can not be actively exploited or do not increase the attack surface.
  • Missing HttpOnly on cookies that do not contain sensitive information.
  • Theoretical issues with no known attack surface.
  • Missing or misconfigured SPF, DKIM, or DMARC records on domains that are not used to deliver mail.
  • CSRF exploits unless they either modify data (other than last access/login time) or expose sensitive information.
  • Use of SMS as multi-factor authentication.
  • Issues that are on third party-websites or libraries not under control of Proto Studio.
  • Packages published by Proto.zip, except for official packages.

Responsible Disclosure

In the interest of protecting our users, we ask that you report an issue to us and give us a reasonable opportunity to fix it prior to public disclosure.

To responsibly disclose a security issue, please send an email to our security team at security@proto.studio. Include a detailed description of the issue, steps to reproduce it, and any supporting evidence. Our team will review your report and take appropriate action.

If possible, please use our PGP key to encrypt your message and any attachments. Attachments will be opened in a sandbox environment. For proofs of concept please include the full source code with instructions on how to compile and/or run as well as the expected output (Javascript, Python, or Go are preferred). Any pre-compiled binaries will not be run.

If the issue is with an Open Source library we ask that you please do not open a issue directly on Github until we've had a chance to investigate the issues, as opening an issue may disclose the problem before a patch is available.

We ask that you wait at least 30 days prior to public disclosure.

Thank you for helping us maintain the security of the ProtoStudio family products.

Reward

We may offer a non-monetary reward for responsible disclosure of security issues. Such a reward may include:

  • A ProtoStudio and/or ProtoAuth T-Shirt or hat.
  • Proto Studio and/or ProtoAuth stickers.
  • Inclusion in the Hall of Fame.
  • Up to 1 year free of Proto Studio Pro (single seat, not including metered usage).

We do not offer cash bounties at this time. Reward is at the sole discretion of ProtoStudio depending on the severity of the issue and whether or not it has been previously reported.