| Version | Supported |
|---|---|
| 0.x.x | Yes (development) |
We take the security of Studio Pair seriously. If you discover a security vulnerability, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
- Email security@studio-pair.com with a description of the vulnerability
- Include steps to reproduce the issue
- Include the potential impact
- If possible, suggest a fix
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability within 5 business days
- Resolution: Critical vulnerabilities will be patched within 7 days; others within 30 days
- Disclosure: We will coordinate disclosure timing with you
Studio Pair implements the following security measures:
- Two-tier encryption: Standard encryption (TLS + at-rest) for most data; client-side encryption for sensitive modules (Vault, Health, Private Capsule)
- Authentication: Argon2id/bcrypt password hashing, TOTP-based 2FA, short-lived access tokens
- Authorization: Multi-layer authorization model (auth, space membership, role, ownership, share permissions, privacy mode, entitlement)
- Data protection: GDPR-compliant data handling, right to deletion, data export
- Input validation: Server-side validation on all endpoints, parameterized queries
- Rate limiting: Configurable per-endpoint rate limiting with exponential backoff
The following are in scope for security reports:
- Authentication and authorization bypasses
- Data exposure or leakage
- Encryption weaknesses
- Injection vulnerabilities (SQL, XSS, etc.)
- Privilege escalation
- CSRF/SSRF vulnerabilities
- Denial of service attacks
- Social engineering
- Physical security
- Third-party service vulnerabilities