Security & Vulnerability Disclosure

Last updated: 2026-07-02

We take the security of our services and our users' data seriously. This page describes how to report a vulnerability in any ONTOOLER service and what to expect from us. A machine-readable version is available at /.well-known/security.txt.

Reporting a vulnerability

If you believe you have found a security vulnerability in any ONTOOLER service, please email ai@onoffer.kr with the subject line "SECURITY". Please include: a description of the issue, steps to reproduce (or a proof of concept), the affected URL/endpoint or plugin, and your contact information.

Please give us a reasonable opportunity to remediate before any public disclosure.

Our response process

  • Acknowledgement: we confirm receipt within 48 hours (business days).
  • Triage: we assess severity and impact, and keep you informed of our assessment.
  • Remediation: critical issues are patched as fast as possible — our services run on serverless infrastructure (Cloudflare Workers), so fixes deploy in minutes once ready. Lower-severity issues are fixed in the next release.
  • Disclosure: we will let you know when the issue is resolved, and are happy to credit you if you wish.

Scope

  • ontooler.com and www.ontooler.com (web portal)
  • api.ontooler.com (license / plugin API)
  • admin.ontooler.com (admin dashboard)
  • Our Figma plugins: Psyfi, Snap3D, Traxel

Rules of engagement

We ask security researchers to act in good faith:

  • Do not run denial-of-service or volumetric attacks.
  • Do not access, modify, or delete data that is not your own. If you encounter another user's personal data, stop immediately and report it.
  • Do not use social engineering, phishing, or physical attacks against our staff or infrastructure.
  • Only test against accounts you own.

We will not pursue legal action against researchers who follow these rules and report issues in good faith.

How our services are built

  • Infrastructure: Cloudflare Workers (serverless, platform-patched) and Supabase managed PostgreSQL — both operated by SOC 2 / ISO 27001-certified providers. We run no self-managed servers.
  • Transport: all traffic is HTTPS/TLS.
  • Credentials: account passwords are handled by Supabase Auth with industry-standard hashing. Plugin session tokens are random 256-bit values stored server-side only as SHA-256 hashes, with a 30-day expiry and immediate revocation on sign-out.
  • Payments: card data is processed entirely by Toss Payments (PCI DSS certified) and never touches our systems.
  • Plugins: file conversion and rendering run entirely on-device inside the plugin. Design or file content is never transmitted to, or stored on, our servers — network calls are limited to license and sign-in checks against api.ontooler.com.

Contact

Security reports: ai@onoffer.kr (subject "SECURITY") General support: ai@onoffer.kr Operator: (주)온오퍼 (ONTOOLER)