Security at Dunamis Studios

Our approach

Dunamis Studios builds local-first software. Most customer data, including the business and client data inside Atelier, never leaves the customer's machine. The only Dunamis-bound communication from Atelier is the licensing surface (online activation, daily heartbeat, optional update check), and an opt-in Sync product when the customer activates it. We treat every security disclosure with respect and respond within 5 business days.

Reporting a vulnerability

• Email: security@dunamisstudios.net
• GPG fingerprint: TBD (run scripts/generate-security-gpg-key.sh then paste the 40-hex fingerprint here)
• Public key: /.well-known/security.txt.asc

What to include in the report

• Description of the issue
• Reproduction steps (the more specific, the faster we can confirm)
• Affected version (Atelier semver if a binary issue; commit SHA if a site issue)
• Impact assessment (data exposure, RCE, privilege escalation, denial of service)
• Suggested fix if known (optional, appreciated)

Responsible disclosure policy

• 90-day disclosure timeline. We commit to a fix or a documented mitigation within 90 days of initial report. After 90 days, the researcher is free to publish details of the vulnerability regardless of patch status.
• Safe harbor. Good-faith security research conducted in accordance with this policy will not be subject to legal action under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, or analogous state and international laws.

In scope

• dunamisstudios.com and all subdomains
• atelier.exe and other Dunamis-distributed binaries
• api.dunamisstudios.com activation endpoints

Out of scope

• Denial-of-service attacks or traffic floods
• Social engineering against Dunamis Studios employees
• Physical attacks
• Third-party services we depend on (Stripe, Vercel, Upstash, Resend, GitHub). Report those directly to the affected vendor.
• Automated scanning that generates significant traffic against the site or API

What we commit to

• Acknowledge receipt of your report within 2 business days.
• Initial triage and severity assessment within 5 business days.
• Disclosure coordination: we'll keep you in the loop on the patch timeline and give you advance notice before public disclosure.
• Recognition in the Acknowledgments section below, if you want it. Pseudonym OK; tell us how you'd like to be credited (or whether to credit you at all).

Acknowledgments

No reports yet. Be the first.

Machine-readable security.txt

Per RFC 9116, our security contact info is also available at /.well-known/security.txt.