OPUSv3
/SECURITY · v1.0

Security & Disclosure

Responsible disclosure

If you discover a security vulnerability in any OPUS Studio product, we want to hear about it before anyone else does. We respond personally to every report and treat researcher relationships as a long-term investment.

How to report

Email security@oneapikey.app with:

  • A description of the vulnerability and the affected product/URL
  • Steps to reproduce (curl / code / screenshots — whatever is clearest)
  • Your assessment of impact and severity
  • Optional: your name / handle for credit on the wall of fame

For sensitive disclosures, you can encrypt to our PGP key — request it via the same email and we’ll reply with the public key.

Response targets

  • Acknowledgment: within 48 hours
  • Triage & severity: within 5 business days
  • Fix or remediation plan: within 30 days for High/Critical, longer for Low
  • Public disclosure: coordinated — typically 90 days after fix ships, or sooner if mutually agreed

In scope

The following properties are in scope for responsible disclosure:

  • opus-studio-eight.com and all subdomains
  • oneapikey.app
  • droidfleet.dev
  • autocmo.app
  • descriptions.app
  • smarts.domains
  • backerpath.com
  • kosherweb.co
  • OPUS Studio mobile apps published under the studio account

Out of scope

  • Findings from automated scanners without a working PoC
  • Social engineering of staff
  • Denial-of-service tests against production traffic
  • Issues in third-party services (Vercel, Resend, Stripe — please report directly to them)
  • Vulnerabilities affecting only outdated browsers / clients
  • Missing best-practice security headers without a real attack vector

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations and service disruption
  • Only access the minimum data necessary to demonstrate the issue
  • Give us a reasonable opportunity to respond before public disclosure
  • Don’t exploit the issue beyond what’s needed to confirm it exists

Wall of fame

Researchers who report valid issues are credited (with permission) on this page after the fix is shipped. The wall is currently empty — a good thing if you’re an OPUS Studio user, an opportunity if you’re a researcher.

← Back to studio