Frame Localizer Security

1. Private reporting

Use the report form on this page to submit a vulnerability privately. Reports submitted here are routed to an admin-only review queue in the Frame Localizer backend and are not published automatically.

Please keep reports non-public while we investigate, and avoid testing that could disrupt service, access someone else's data, or modify data without authorization.

2. Scope

The public Frame Localizer Figma plugin.
The hosted backend service used by the plugin on this domain.
Plugin-to-backend flows such as /api/plan, /v1/me, and /v1/translate.
Security issues involving how the service handles Figma-derived data, admin access, or runtime persistence.

3. Out of scope

Figma platform vulnerabilities outside Frame Localizer's own code and hosted service.
Google, Render, or other third-party services we do not operate.
Destructive testing, denial-of-service, spam, or attempts to degrade availability.
Unauthorized access, account takeover attempts, data exfiltration, or modifying data you do not own.

4. Triage and disclosure

We review the report, confirm whether it is in scope, and prioritize it based on credibility and impact.
We validate the issue in the plugin or hosted backend and gather remediation context.
We ship a fix or mitigation, then verify the issue is addressed in the relevant runtime path.
When appropriate, we coordinate any public disclosure after mitigation is in place.

Frame Localizer does not currently operate a bug bounty or paid rewards program. Responsible reports are still appreciated and reviewed.

5. What to include

A contact email we can use for follow-up.
A short title and the affected area or component.
Clear reproduction steps, including prerequisites or setup.
Your assessment of the impact.
Helpful context such as logs, screenshots, request samples, plugin version, or mitigation ideas when available.

Submit only information you are authorized to access. Do not include secrets or personal data that are not necessary to explain the issue.

6. Vulnerability report form

Use this form for private security reports about Frame Localizer. Required fields and length limits are enforced server-side, and a lightweight anti-abuse check is applied to submissions.