Main Hero

Security

Rubix Studios takes the security of its websites, hosting services, software, infrastructure, and client systems seriously.

If you believe you have discovered a security issue affecting a Rubix Studios managed service, product, website, server, application, or client-facing system, we ask that you report it to us responsibly so it can be investigated, fixed, and disclosed where appropriate.

Supported scope

Before submitting a report, please confirm that the issue affects a system currently operated, maintained, or managed by Rubix Studios.

  • Security reports may include issues affecting:
  • Websites and applications
  • Hosting infrastructure
  • Actively managed client systems
  • Software projects
  • Authentication, access control, or session handling
  • Data exposure or unintended access to private information
  • Server, DNS, email, or control panel configuration
  • Vulnerabilities in deployed integrations or automation systems

Out-of-date software, abandoned systems, or third-party platforms outside our control may not be eligible for direct remediation by Rubix Studios. Where appropriate, we may refer the issue to the relevant vendor, upstream maintainer, hosting provider, or affected client.

Security contact

Please report security issues by email:

security@rubixstudios.com.au

Include enough detail for us to understand, validate, and reproduce the issue.

A strong report should include:

  • A clear summary of the issue
  • The affected domain, IP address, service, endpoint, or application
  • Steps to reproduce the issue
  • The expected result and actual result
  • Screenshots, request samples, logs, or proof-of-concept details where helpful
  • The potential security impact
  • Whether any data was accessed, modified, deleted, or exposed
  • Your preferred contact details for follow-up

Please avoid sending large attachments where possible. Plain text reports are preferred because they make technical review, quoting, and follow-up discussion easier.

Encryption

If your report includes highly sensitive information, you may encrypt your message using our public PGP key:

https://rubixstudios.com.au/.well-known/pgp-key.asc

text
-----BEGIN PGP PUBLIC KEY BLOCK-----
 
mDMEafvsnxYJKwYBBAHaRw8BAQdAF+JfCBm4gAjrbCVvLfM3WIq0/dGh/FpzaC2h
332u02a0KVJ1Yml4IFN0dWRpb3MgPGhlbGxvQHJ1Yml4c3R1ZGlvcy5jb20uYXU+
iLUEExYKAF0WIQQLgbDEgVp9CBxSKoEaG/PhJfWuHgUCafvsnxsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMiwyLDECGwMFCQWk8YEFCwkIBwICIgIGFQoJCAsCBBYCAwEC
HgcCF4AACgkQGhvz4SX1rh58sQD/UHX+V34RkbrElOVpnHioKXLERWczZvg+S3WK
bHqZNUQBAI+ZkNVuOmq2XPzn9x3tSyjdNTgW6DAWeC0yoiNLl74MuDgEafvsnxIK
KwYBBAGXVQEFAQEHQBhrUIw31+5j2bM1WXCzh3cOhkvP454z3znK7qQm7dJVAwEI
B4iaBBgWCgBCFiEEC4GwxIFafQgcUiqBGhvz4SX1rh4FAmn77J8bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAhsMBQkFpPGBAAoJEBob8+El9a4eFGMA/1XC3KN8
DjukdrMw1nTm8Ur1ORZfkztbSSqg5uLl7BkjAP0UungUeUYFC1FWAfMeyxbnl1hl
vW7BBwdMqk0uF7HtDQ==
=fuEi
-----END PGP PUBLIC KEY BLOCK-----

PGP fingerprint:

text
0B81 B0C4 815A 7D08 1C52 2A81 1A1B F3E1 25F5 AE1E

Please avoid sending unnecessary personal information, credentials, customer data, database exports, private keys, or large samples of sensitive records.

If you believe sensitive data is exposed, provide the smallest safe sample required to demonstrate the issue.

Responsible testing

When researching or reporting an issue, please avoid actions that could harm Rubix Studios, our clients, or end users.

Do not:

  • Disrupt production services
  • Perform denial-of-service testing
  • Access, download, modify, or delete data that is not yours
  • Attempt privilege escalation beyond what is required to prove impact
  • Use malware, persistence, backdoors, or destructive payloads
  • Conduct social engineering, phishing, spam, or physical attacks
  • Attempt to access employee, contractor, or client accounts without permission
  • Publicly disclose the issue before we have had a reasonable opportunity to investigate and remediate it

If you accidentally access sensitive data, stop testing immediately and include the details in your report.

Response process

Rubix Studios will review submitted security reports as soon as practical.

We aim to:

  • Acknowledge valid reports promptly
  • Triage the issue based on severity, exploitability, and affected systems
  • Investigate and reproduce the reported behaviour
  • Apply mitigations or fixes where required
  • Coordinate with affected clients, vendors, or upstream providers where necessary
  • Keep the reporter informed where appropriate

Response times may vary depending on the complexity of the issue, the systems involved, and whether third-party vendors or client approvals are required.

Disclosure

Rubix Studios supports coordinated vulnerability disclosure.

Please do not publicly disclose a vulnerability until we have completed our investigation and, where applicable, released or deployed a fix.

Once a fix is available, we may publish a security advisory, changelog entry, client notice, or internal incident summary depending on the impact and affected audience.

At the request of the reporter or an affected party, we may delay or limit technical details where disclosure could increase risk before affected systems are protected.

Security recognition

Rubix Studios may acknowledge valid security reports where appropriate and where the reporter agrees to be publicly credited.

Security acknowledgments are published here:

https://rubixstudios.com.au/legal/security-recognition

Recognition is provided at our discretion and does not imply payment, employment, endorsement, or a commercial relationship.

CVE assignment

Rubix Studios does not normally assign CVEs directly.

If a CVE has already been assigned to the issue, please include the CVE ID in your report so we can coordinate communication and remediation. A CVE is not required for us to investigate or fix a security issue.

Infrastructure

Some systems operated by Rubix Studios rely on third-party software, hosting platforms, control panels, plugins, themes, APIs, and open-source components.

If the issue is caused by an upstream product, we may recommend reporting it directly to the vendor or maintainer. Where the issue affects Rubix Studios infrastructure or clients, we may still take defensive action, apply mitigations, or coordinate disclosure.

Automated scanner findings are welcome when they identify a practical security risk. However, some scanner results may represent outdated checks, low-impact configuration warnings, or intentional trade-offs required for compatibility.

Reports are most useful when they explain the real-world impact rather than only listing scanner output.

Bug bounties

Rubix Studios does not currently operate a paid bug bounty program.

We appreciate responsible reports from security researchers and will review valid submissions in good faith.

Submission of a report does not create an entitlement to payment, compensation, public credit, employment, or commercial engagement unless agreed in writing before testing.

Safe harbour

Rubix Studios will not pursue legal action against researchers who act in good faith, avoid harm, and follow this policy.

This does not authorise testing against third-party systems, unmanaged client systems, or any activity that is unlawful, destructive, disruptive, or privacy-invasive.

If you are unsure whether testing is permitted, contact us first.

Report template

You may use the following structure when submitting a report:

text
Subject: Security report: [brief issue summary]
 
Affected system:
[Domain, IP, application, endpoint, project, or service]
 
Summary:
[Short description of the issue]
 
Steps to reproduce:
1.
2.
3.
 
Impact:
[What could an attacker do? What data or access is at risk?]
 
Evidence:
[Safe screenshots, request samples, logs, or proof-of-concept details]
 
Data accessed:
[Confirm whether any sensitive data was accessed, modified, deleted, or exposed]
 
Suggested fix:
[Optional]
 
Contact details:
[Your preferred email or contact method]

This policy is effective from 27th May 2026.