Legal

Security Policy

RoleCall — rolecallstudios.com

RoleCall Security Policy

Effective Date: May 24, 2026

Last Updated: May 24, 2026

RoleCall Studios LLC ("RoleCall," "we," "us") takes the security of our users' data and our systems seriously. This policy describes how to report a security vulnerability to us, what you can expect from us in response, and the protections we extend to researchers who disclose responsibly.

1. Scope

This policy covers vulnerabilities affecting:

  • rolecallstudios.com and all subdomains (the RoleCall web application)
  • plotlightstudios.com and all subdomains (the Plotlight discovery and library surface)
  • — The official RoleCall mobile installable (PWA)
  • — Supabase-hosted infrastructure where it intersects with the application surface (database, storage buckets, edge functions)

Out of scope, see Section 7.

2. How to Report

Send vulnerability reports to:

  • Email: boxoffice@rolecallstudios.com
  • Subject line prefix: [SECURITY]

We do not currently maintain a public bug-bounty platform. Reports submitted through other channels (public GitHub issues, Discord, social media) may not be received in time and may compromise the safety of users — please use the email above.

3. What to Include

To help us triage quickly, please include:

  1. A description of the vulnerability and its potential impact.
  2. The affected URL(s), endpoint(s), or component(s).
  3. Steps to reproduce, with screenshots, request/response captures, or proof-of-concept code where applicable.
  4. The version, browser, or platform you tested on.
  5. Whether you have disclosed (or intend to disclose) this to any other party.
  6. Your contact information and, if relevant, how you wish to be credited.

Reports that include reproducible steps and a clear impact statement receive the fastest response.

4. Our Response

Upon receipt of a valid report:

  • Acknowledgement: within 72 hours, confirming we have received the report.
  • Triage: within 7 calendar days, with our preliminary assessment of severity and validity.
  • Resolution timeline: communicated alongside triage, based on severity. Critical issues affecting confidentiality of encrypted data or authentication are prioritized above all other work.
  • Status updates: on material milestones (fix in development, fix deployed, public disclosure).

If we are unable to reproduce the issue or determine it is out of scope, we will explain why.

5. Safe Harbor

We will not pursue legal action, civil or criminal, against security researchers who:

  • — Make a good-faith effort to comply with this policy.
  • — Report the vulnerability to us before disclosing it publicly or to any third party.
  • — Avoid privacy violations, destruction of data, or disruption of service for users other than themselves during testing.
  • — Do not access, modify, or retain data belonging to other users beyond what is strictly necessary to demonstrate the vulnerability.
  • — Do not perform testing that would degrade or interrupt service for our users (no denial-of-service, no automated scanners that generate substantial load, no social-engineering of our staff or contractors).

This safe harbor applies to activities conducted in accordance with this policy and is limited to claims arising under laws we control (including the Computer Fraud and Abuse Act and equivalent state law to the extent we may waive them). It does not bind third parties, payment processors, or hosting providers whose terms may apply independently.

If at any time you are uncertain whether a planned action is within scope, email us before testing.

6. Coordinated Disclosure

We follow a coordinated disclosure model:

  • — We work with reporters on a mutually agreeable timeline for public disclosure, typically within 90 days of confirmed triage.
  • — For critical issues where active exploitation is observed or suspected, we may request an extended embargo to protect users while we deploy mitigation.
  • — For low-severity issues, we may publish a brief acknowledgement after the fix has shipped.
  • — Reporters who request anonymity will not be named in any public disclosure. Reporters who wish to be credited will be acknowledged on this page (Section 9) or in release notes, as preferred.

7. Out of Scope

The following are explicitly not within scope of this policy and should not be reported (or, if reported, will be closed without action):

  • — Denial-of-service attacks, volumetric attacks, or any test that intentionally degrades service.
  • — Social engineering of RoleCall staff, contractors, or users.
  • — Physical attacks against RoleCall offices or personnel.
  • — Reports based solely on automated scanner output without proof of exploitability.
  • — Missing security headers, cookie flags, or other configuration findings without a demonstrable impact.
  • — Self-XSS (vulnerabilities that require the victim to paste attacker-controlled input into their own browser console).
  • — Reports concerning third-party services (Supabase, Cloudflare, Stripe, etc.) that should be reported to those providers directly.
  • — Findings on staging, preview, or developer environments not listed in Section 1.
  • — Reports concerning AI model outputs (jailbreaks, prompt injection causing the model to produce undesirable content) that do not exfiltrate data, escalate privileges, or bypass our infrastructure controls. Model-behavior concerns are handled through support@rolecallstudios.com, not this policy.
  • — Vulnerabilities in user-generated content (characters, lorebooks, presets) that affect only the user who created or imported them.

8. Responsible Use of Discovered Data

If, during good-faith research, you incidentally access data belonging to other users:

  • — Stop immediately upon recognizing the data does not belong to you.
  • — Do not retain, share, copy, or disseminate the data.
  • — Include the incident in your report so we can audit, notify affected users where required, and improve the relevant controls.
  • — We will not pursue action against you for incidental access as long as the steps above are followed.

9. Recognition

We maintain a recognition list for researchers who have responsibly disclosed valid security issues. Inclusion is opt-in — researchers who wish to remain anonymous will not be named.

Recognition is currently informal: an acknowledgement on this page and, where relevant, in the public release notes for the fix.

We do not currently offer monetary bounties. As the program matures we expect this to evolve; meaningful contributions to user safety will be remembered.

10. Contact

  • Security reports: boxoffice@rolecallstudios.com (subject: [SECURITY])
  • General support: support@rolecallstudios.com
  • Legal / Privacy: boxoffice@rolecallstudios.com
  • Postal: RoleCall Studios LLC, mailing address available on request

This policy may be updated to reflect changes in scope, response times, or recognition practices. Material changes will be announced via the changelog at rolecallstudios.com.

* * *

— END OF DOCUMENT —