Back to Home
Security

Security Policy

Security is a top priority for Staged. Learn about our security practices and how to responsibly report vulnerabilities.

Our Security Approach

Staged is designed with security in mind from the ground up. We follow industry best practices and maintain transparency about our security posture.

User-Mode Driver

Staged uses Microsoft's IddCx framework which runs entirely in user-mode. No kernel access, no ring-0 code, no system-level risks.

Signed Binaries

All distributed binaries are digitally signed. Unsigned builds will trigger Windows security warnings.

Open Source

Our entire codebase is public on GitHub. Every line of code can be audited by anyone, anytime.

No Network Access

Staged does not require internet access to function. No telemetry, no analytics, no data collection in the core app.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly. We appreciate your help in keeping Staged and our users safe.

Contact Information

Please send security reports to one of the following addresses:

security@staged.gg
Preferred for security issues
hello@staged.gg
General inquiries

What to Report

  • Remote code execution vulnerabilities
  • Privilege escalation issues
  • Memory corruption bugs
  • Authentication or authorization bypasses
  • Data exposure or leakage
  • Denial of service vulnerabilities
  • Driver-related security issues

Out of Scope

  • Social engineering attacks
  • Physical access attacks
  • Issues in dependencies (report upstream)
  • Already known/public vulnerabilities
  • Issues requiring extensive user interaction

Responsible Disclosure Process

We follow a responsible disclosure process to ensure vulnerabilities are addressed properly before public disclosure.

1

Report

Send details of the vulnerability to our security email. Include steps to reproduce.

2

Acknowledge

We will acknowledge receipt within 48 hours and begin investigation.

3

Investigate

Our team will investigate and determine the severity and impact.

4

Fix

We will develop and test a fix, keeping you informed of progress.

5

Release

Fix will be released and security advisory published with credit (if desired).

What We Commit To

  • Acknowledge receipt of your report within 48 hours
  • Investigate and provide initial assessment within 7 days
  • Keep you informed about our progress throughout the process
  • Credit you in our security advisory (if desired)
  • Not pursue legal action against good-faith researchers

Questions?

If you have questions about our security practices or need clarification on the reporting process, feel free to reach out.