Security Policy

Last updated: November 19, 2025

Overview

At Ventana Tools LLC, we take security seriously. This policy outlines how to report security vulnerabilities in our products and services, including our website, desktop applications (FontPilot, Zap), and related infrastructure.

Reporting Security Vulnerabilities

What to Report

We encourage responsible disclosure of security vulnerabilities in:

  • Website (ventana.tools and related services)
  • Desktop Applications (FontPilot, Zap, and future products)
  • Infrastructure (CDN, API endpoints, authentication systems)
  • Third-party dependencies that affect our products

Ventana Vulnerabilities vs. Windows/Microsoft Vulnerabilities

How to determine if a vulnerability is ours:

  • Ventana vulnerability: Issues in our application code, our website, our backend services, or vulnerabilities introduced by our code that affects our products
  • Microsoft vulnerability: Issues in the Windows operating system itself, Windows API security, or Microsoft-provided frameworks that affect all Windows applications

If you're unsure: Report it to us. We can help determine if it's a Ventana issue, a Windows issue, or a combination. If it's a Windows vulnerability, we'll guide you to report it to Microsoft appropriately.

What NOT to Report

Please do not report:

  • Known Windows security issues (report these to Microsoft via Microsoft Security Response Center)
  • Social engineering attacks
  • Denial of service (DoS) attacks
  • Issues requiring physical access to the device
  • Issues related to third-party software or services we integrate with (report to those vendors)
  • Outdated dependencies (unless they introduce an active vulnerability in our products)

How to Report

Standard Method (No PGP Encryption)

Email: security@ventana.tools

This email address is our collaborative inbox that doesn't support PGP encryption. Use this for non-sensitive vulnerability reports, or use the encrypted method below for sensitive information, information will be shared out with the Ventana team accordingly.

Encrypted Method (PGP Encryption)

Email: seth@ventana.tools

This email address supports PGP encryption. Seth's PGP public key is available at /.well-known/pgp-key.txt

Note: Seth's personal Ventana email address supports PGP encryption thanks to FlowCrypt, our security inbox is a non-encrypted collaborative inbox.

Alternative Method

Email: ventanatools@protonmail.com

This is a backup email address available if the primary methods are unavailable. While not ideal, ProtonMail provides built-in encryption options.

What to Include in Your Report

Please provide as much detail as possible:

  • Description: Clear explanation of the vulnerability
  • Product/Service: Which product or service is affected (website, FontPilot, Zap, etc.)
  • Version: The version of the product (for desktop apps)
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Impact: Potential security impact of the vulnerability
  • Proof of Concept: If possible, include a proof of concept or screenshots
  • Suggested Fix: If you have ideas for a fix, we'd love to hear them

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Resolution: Depends on severity, but we aim to address critical issues within 30 days

Responsible Disclosure

We follow a responsible disclosure process:

  1. Report: Submit your vulnerability report via email
  2. Confirmation: We'll confirm receipt within 48 hours
  3. Investigation: We'll investigate and verify the issue
  4. Fix: We'll develop and test a fix
  5. Release: We'll release the fix in an update
  6. Disclosure: With your permission, we'll acknowledge your report publicly

What We Ask of You

  • Give us reasonable time to fix the issue before public disclosure
  • Do not access or modify data that doesn't belong to you
  • Do not perform denial of service attacks
  • Do not use social engineering or phishing attacks
  • Act in good faith and avoid malicious behavior

Bug Bounty Program

Note: As a small business, Ventana Tools does not currently operate a bug bounty program with monetary rewards. We understand the value of security research and are grateful for responsible disclosure, but we are not able to offer financial compensation for vulnerability reports at this time.

We will, however, publicly acknowledge security researchers who responsibly report valid vulnerabilities (with your permission) and are committed to fixing issues in a timely manner.

Acknowledgments

We appreciate the security research community's efforts to keep our products secure. With your permission, we will publicly acknowledge security researchers who report valid vulnerabilities. See our Security Acknowledgments page.

Questions?

If you have questions about this security policy or need clarification on whether something should be reported, please contact us at security@ventana.tools.

Thank you for helping keep Ventana Tools products and services secure. Your responsible disclosure helps protect all our users.