Security

Security & Responsible Disclosure

GeneDevStudios builds tools for security and compliance professionals. We take the security of our platform seriously and welcome reports from researchers who do the same.

Found a vulnerability?

Report it privately. We will acknowledge your report within 2 business days.

Report a vulnerability

Our security practices

We build security in by default. The following measures are in place across all GeneDevStudios products and infrastructure:

HTTPS everywhere

All traffic is encrypted in transit. HTTP is not served. HSTS is enforced with a one-year max-age.

Secure authentication cookies

Session tokens are stored in HttpOnly, Secure, SameSite cookies scoped to the genedevstudios.com domain. They are never accessible to JavaScript.

Input validation

All API routes validate and sanitize inputs server-side. Field lengths are enforced. Enum values are allowlisted.

Passwords never stored in plain text

Account passwords are hashed using bcrypt before storage. Plain-text passwords are never logged or retained.

Payment data isolation

No card numbers, bank details, or payment credentials pass through our servers. All payment processing is delegated to Stripe (PCI-DSS Level 1).

Security headers

All responses include Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.

Rate limiting

Authentication, checkout, and registration endpoints are rate-limited at the network edge to prevent brute force and abuse.

Web Application Firewall

Cloudflare WAF with OWASP Core Ruleset is active. Managed rules block common attack patterns including SQLi, XSS, and path traversal.

Bot protection

Cloudflare Turnstile is used for invisible bot detection on registration. Bot Fight Mode is enabled at the network layer.

In-house development

All GeneDevStudios software is developed and maintained in-house. We review dependencies before adoption and monitor for known vulnerabilities.

Scope

In scope

  • genedevstudios.com — the public website and all subdomains
  • Anvil CRAFT — the web application, API endpoints, and authentication flows
  • Anvil FORGE — the desktop application, local data handling, and update mechanism

Out of scope

  • Social engineering attacks against GeneDevStudios employees or customers
  • Physical security attacks
  • Denial of service (DoS/DDoS) attacks
  • Third-party services we rely on (Cloudflare, Stripe) — report those to the respective vendors
  • Vulnerabilities in third-party open-source dependencies not introduced by GeneDevStudios code
  • Automated scanner output submitted without proof of exploitability
  • Issues in end-of-life or explicitly unsupported versions of Anvil FORGE
  • Theoretical vulnerabilities without a working demonstration

Rules of engagement

To qualify for safe harbor protection and good-faith recognition, we ask that you:

  • Report findings promptly and privately to [email protected] before any public disclosure
  • Provide sufficient detail to reproduce and assess the issue (see reporting guidelines below)
  • Do not access, modify, delete, or exfiltrate data belonging to other users
  • Do not degrade or disrupt the availability of the service for others
  • Do not use findings for any purpose beyond demonstrating the vulnerability to us
  • Do not publicly disclose the vulnerability until the coordinated disclosure period has elapsed (see timeline below)
  • Test only against accounts and data you own or have explicit permission to test

Authorized testing

There are two categories of security research:

Passive discovery

If you discover a vulnerability through normal use of the product, manual inspection, or review of publicly accessible resources — no prior authorization is needed. Report what you found and you are covered by our safe harbor.

Active / automated testing

If you intend to run automated scanners, fuzz inputs, or conduct any testing that generates non-trivial load against our infrastructure, you must request explicit authorization first. Email [email protected] with a description of the testing scope and methodology. Unauthorized automated testing is not covered by safe harbor regardless of intent.

How to report

Send your report to [email protected]. If your finding is highly sensitive and you would like to discuss a secure transmission channel before sending details, email us first to arrange that.

A useful report includes:

  • A clear description of the vulnerability and its potential impact
  • The affected product, endpoint, or component
  • Step-by-step reproduction instructions
  • Proof of concept (screenshot, HTTP request/response, or minimal code)
  • Your assessment of severity using the CVSS v3.1 scoring system (a score and base vector string if possible)
  • Any suggested mitigations, if you have them

You do not need to have a complete CVSS score to submit a report. A clear description and reproduction steps are more valuable than a score alone.

Response timeline

We commit to the following after receiving a report:

MilestoneCommitment
Initial acknowledgmentWithin 2 business days
Triage & severity assessmentWithin 7 days of acknowledgment
Resolution — Critical / High (CVSS ≥ 7.0)Target: 30 days from acknowledgment
Resolution — Medium (CVSS 4.0–6.9)Target: 60 days from acknowledgment
Resolution — Low / Informational (CVSS < 4.0)Target: 90 days from acknowledgment
Coordinated public disclosure window90 days from initial acknowledgment

If a resolution requires more time than the target window, we will communicate that to you proactively with an updated estimate. We will not ask you to indefinitely delay disclosure beyond the 90-day window without your agreement.

Safe harbor

Genetic Development Studios LLC will not initiate or recommend legal action against researchers who discover and report security vulnerabilities in good faith in accordance with this policy. We consider good-faith security research to be a valuable contribution and commit to working with researchers collaboratively.

Safe harbor applies when the researcher:

  • Follows the rules of engagement described above
  • Reports the finding privately to us before any public disclosure
  • Makes a good-faith effort to avoid accessing other users' data or disrupting the service
  • Does not exploit the vulnerability beyond what is necessary to demonstrate its existence

Researchers conducting active or automated testing without prior written authorization are not covered by this safe harbor, regardless of intent.

Safe harbor under this policy does not waive any rights against third parties, does not override applicable law, and does not apply to actions that fall outside the scope of this policy. If you are uncertain whether your research activity qualifies, email us at [email protected] before proceeding.

Recognition

We do not currently offer a monetary bug bounty. Researchers who submit valid, in-scope vulnerabilities in good faith will receive a private acknowledgment from our team. We appreciate every report and treat each one seriously — your research directly contributes to the security of tools used by compliance professionals.

Contact

Genetic Development Studios LLC

Security disclosures

[email protected]

If your finding is sensitive and you would like to arrange a secure transmission channel before sending details, email us first and we will accommodate that request.