Skip to content

Security: Aurtiz/aurtiz

Security

SECURITY.md

Security Policy

Aurtiz and Oxtune Technologies take the security of our platform and the protection of our creator community seriously. We appreciate the responsible disclosure of security vulnerabilities by researchers and users.


Supported Versions

Security updates are applied to the currently deployed version of the Aurtiz platform. Because Aurtiz is a hosted service (aurtiz.com), patches are deployed continuously. The following table indicates which versions are currently receiving security support:

Version Supported
Latest production (aurtiz.com) Yes
Older releases No

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in the Aurtiz platform, API, mobile app, or any associated infrastructure, please disclose it responsibly by emailing:

security@aurtiz.com

What to include in your report

To help us triage and resolve the issue efficiently, please include as much of the following as possible:

  • Type of issue (e.g., SQL injection, cross-site scripting, authentication bypass, data exposure, privilege escalation)
  • Affected component (e.g., web app, Android app, API, beat marketplace, payout system)
  • Steps to reproduce — clear, step-by-step instructions to replicate the vulnerability
  • Proof of concept — screenshots, video, or code demonstrating the issue (if safe to share)
  • Potential impact — your assessment of the severity and blast radius
  • Your contact information — so we can follow up with you

Scope

The following are in scope for security reports:

  • aurtiz.com — the main web platform (streaming, beat marketplace, artist/producer dashboards)
  • Aurtiz Android app — the official mobile application
  • Aurtiz API — any publicly documented API endpoints
  • Authentication systems — login, registration, session management, OAuth flows
  • Payment and payout systems — anything touching financial data or transactions
  • Creator data — music uploads, analytics data, personal account information

The following are out of scope:

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering of Aurtiz staff or users
  • Physical security issues
  • Vulnerabilities in third-party services that Aurtiz integrates with (report these to the respective vendors)
  • Issues already known to the team (we will confirm if this is the case)
  • Automated scanner output without a verified proof of concept

Response SLA

We are committed to the following response timelines:

Stage Target Timeline
Initial acknowledgment Within 48 hours
Severity assessment Within 5 business days
Status update Every 7 days until resolved
Critical vulnerability fix Within 72 hours of confirmation
High severity fix Within 14 days of confirmation
Medium/low severity fix Within 30 days of confirmation

Responsible Disclosure Policy

We ask that you:

  • Give us reasonable time to investigate and remediate before any public disclosure
  • Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
  • Do not disrupt the platform or its users during testing
  • Do not exploit the vulnerability for personal gain or share it with third parties

In return, we commit to:

  • Acknowledging your report promptly
  • Keeping you informed of our progress
  • Crediting you for your discovery (if you wish) once the issue is resolved
  • Not pursuing legal action against good-faith security researchers following this policy

Contact

Purpose Contact
Security vulnerabilities security@aurtiz.com
General inquiries hello@aurtiz.com
Platform support support@aurtiz.com

This security policy applies to the Aurtiz platform, operated by Oxtune Technologies. Last updated: 2024.

There aren't any published security advisories