← Liner

Security

How we handle security, and how to report a problem.

Reporting a vulnerability

Email austin@liner.studio. Please include a description of the issue, steps to reproduce, and your name or handle if you want public acknowledgment.

If the issue is sensitive enough that email feels wrong, request a PGP key in your first message and we'll send one.

Please don't open public issues for security bugs, post about them before we've responded, or test against other artists' accounts.

Response times
  • Acknowledge your report within 3 business days.
  • Triage and share an initial severity read within 7 business days.
  • Resolve critical issues within 30 days; lower-severity issues within 90 days.

If a deadline is going to slip, we'll tell you why.

Scope

In scope:

  • liner.studio and all subdomains (app., login., admin.)
  • Liner's API surface under /api/*
  • OAuth flows for Google Workspace and Supabase Auth
  • Data isolation between artists

Out of scope:

  • Third-party services we depend on — report directly to Supabase, Vercel, Anthropic, Google, Stripe, Resend, or Cloudflare
  • Social engineering of Liner staff or artists
  • Physical attacks
  • Denial-of-service via brute traffic (rate limits are intentional; please don't try to exhaust them)
  • Issues that require a fully compromised client device
  • Best-practice findings without a concrete impact
Safe harbor

We will not pursue legal action against researchers who make a good-faith effort to follow this policy: avoid privacy violations, data destruction, and service degradation; do not access or exfiltrate data belonging to other users; and give us reasonable time to address an issue before disclosure.

If you're unsure whether something is in scope, email us first.

Our security posture
  • At-rest encryption. Google OAuth refresh tokens are encrypted with AES-256-GCM keyed by a per-environment key, with a randomized IV per record and verified auth tag on decrypt. Plaintext refresh tokens never reach the database.
  • Per-tenant isolation.Every per-artist table has row-level security scoped on the authenticated user. Storage buckets enforce folder-prefix policies keyed on the artist's user id.
  • Billing gate at the database layer.Trial-expired accounts are blocked from writes at the RLS layer — not just in the UI.
  • Server-only privileged keys. The Supabase service-role key is loaded server-only and never reaches client code.
  • Transport security. HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, restricted Permissions-Policy. Auth cookies are domain-scoped so subdomains share the session.
  • Rate limiting. Public-facing intake endpoints are rate-limited per IP (IP hashed with a salt before storage).
Acknowledgments

Researchers who have reported valid issues, with their permission, will be listed here. Nobody yet.

Last updated May 22, 2026.