Aurtiz and Oxtune Technologies take the security of our platform and the protection of our creator community seriously. We appreciate the responsible disclosure of security vulnerabilities by researchers and users.
Security updates are applied to the currently deployed version of the Aurtiz platform. Because Aurtiz is a hosted service (aurtiz.com), patches are deployed continuously. The following table indicates which versions are currently receiving security support:
| Version | Supported |
|---|---|
| Latest production (aurtiz.com) | Yes |
| Older releases | No |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in the Aurtiz platform, API, mobile app, or any associated infrastructure, please disclose it responsibly by emailing:
To help us triage and resolve the issue efficiently, please include as much of the following as possible:
- Type of issue (e.g., SQL injection, cross-site scripting, authentication bypass, data exposure, privilege escalation)
- Affected component (e.g., web app, Android app, API, beat marketplace, payout system)
- Steps to reproduce — clear, step-by-step instructions to replicate the vulnerability
- Proof of concept — screenshots, video, or code demonstrating the issue (if safe to share)
- Potential impact — your assessment of the severity and blast radius
- Your contact information — so we can follow up with you
The following are in scope for security reports:
- aurtiz.com — the main web platform (streaming, beat marketplace, artist/producer dashboards)
- Aurtiz Android app — the official mobile application
- Aurtiz API — any publicly documented API endpoints
- Authentication systems — login, registration, session management, OAuth flows
- Payment and payout systems — anything touching financial data or transactions
- Creator data — music uploads, analytics data, personal account information
The following are out of scope:
- Denial-of-service (DoS/DDoS) attacks
- Social engineering of Aurtiz staff or users
- Physical security issues
- Vulnerabilities in third-party services that Aurtiz integrates with (report these to the respective vendors)
- Issues already known to the team (we will confirm if this is the case)
- Automated scanner output without a verified proof of concept
We are committed to the following response timelines:
| Stage | Target Timeline |
|---|---|
| Initial acknowledgment | Within 48 hours |
| Severity assessment | Within 5 business days |
| Status update | Every 7 days until resolved |
| Critical vulnerability fix | Within 72 hours of confirmation |
| High severity fix | Within 14 days of confirmation |
| Medium/low severity fix | Within 30 days of confirmation |
We ask that you:
- Give us reasonable time to investigate and remediate before any public disclosure
- Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
- Do not disrupt the platform or its users during testing
- Do not exploit the vulnerability for personal gain or share it with third parties
In return, we commit to:
- Acknowledging your report promptly
- Keeping you informed of our progress
- Crediting you for your discovery (if you wish) once the issue is resolved
- Not pursuing legal action against good-faith security researchers following this policy
| Purpose | Contact |
|---|---|
| Security vulnerabilities | security@aurtiz.com |
| General inquiries | hello@aurtiz.com |
| Platform support | support@aurtiz.com |
This security policy applies to the Aurtiz platform, operated by Oxtune Technologies. Last updated: 2024.