We maintain security updates for the following versions:
| Version | Status | Support Until |
|---|---|---|
| 0.3.x | Current | Q2 2027 |
| 0.2.x | Legacy | Q4 2026 |
Earlier versions are no longer supported and should be upgraded immediately.
Do NOT open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available can put users at risk.
Instead, please report security issues to:
Email: security@lxveace.com
Include:
- A clear description of the vulnerability
- Steps to reproduce (if applicable)
- Your name and contact information
- The version(s) of Tag Studio affected
- Any technical details or proof-of-concept code (optional)
Response Timeline:
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 48 hours
- Fix & Release: Within 14 days (critical issues) or as part of the next scheduled release
- CVE Assignment: Critical vulnerabilities will be assigned a CVE identifier
We will credit you as a security researcher in the release notes (unless you request anonymity).
OS Credential Store: Machine authentication credentials (API keys, tokens, passwords) are stored in the operating system's secure credential storage:
- Windows: DPAPI (Data Protection API) via Windows Credential Manager
These credentials are never stored in plaintext configuration files, environment variables, or log files. The application requests them from the OS at runtime and uses them only for the duration of a single export/machine operation.
Installer Signing: Releases are distributed as Windows installers:
- Windows: Authenticode-signed
.exe(NSIS)
Signatures are generated by Licensor's secure CI/CD pipeline and verified by the OS before installation. Users should verify signatures before installing.
Local Processing: All label designs, templates, and data files are processed and stored on your local computer. Tag Studio:
- Does not upload designs to any cloud service
- Does not collect telemetry or usage analytics
- Does not contact external servers except to export to user-authorized machines
- Does not embed client/site/equipment identifiers in the source code
No Telemetry: The application contains no crash reporting, feature usage tracking, or advertising.
Tag Studio runs as a single Electron process without OS-level sandboxing. This is necessary because:
- Machine adapters require filesystem access (USB, network, folder paths)
- OS credential store access must be unrestricted
- Template and document I/O must be unrestricted
However, the IPC bridge between the main and renderer processes enforces strict access control — the renderer cannot directly access the filesystem, credential store, or machine adapters.
- Download installers only from the official GitHub Releases page
- Verify the signature (Windows: check the publisher)
- Keep your operating system and all software up to date
- Store machine credentials in the OS credential store (use Tag Studio's credential dialog — never paste into config files)
- Restrict access to your computer (use OS login credentials, enable disk encryption)
- Regularly review which machines are configured in Tag Studio's settings
- Regularly back up your
.tagstudiodocuments to external storage - Use OS-level encryption (BitLocker on Windows)
- Never commit
.tagstudiofiles or machine configs to version control (they may contain credentials)
- Install security updates as soon as they are available
- On Windows, Tag Studio will notify you of updates; click "Install" to apply them
Tag Studio integrates with third-party labeling machines via adapters. Security of those integrations depends on:
- The vendor's API design and authentication method
- Network security (USB, Ethernet, WiFi)
- The user's network environment
We cannot guarantee the security of vendor APIs or firmware — report issues to the vendor directly.
Exported PDFs may embed fonts and images. Ensure that:
- Images do not contain sensitive metadata
- Fonts are licensed for your use case
As an Electron app, Tag Studio relies on Chromium's JavaScript engine. Chromium security patches are applied as part of Electron updates. Keep Tag Studio updated to receive the latest engine security fixes.
Once a vulnerability is reported and confirmed, we follow a responsible disclosure timeline:
- Day 0: Vulnerability is reported to security@lxveace.com
- Day 1: Licensor acknowledges receipt and begins investigation
- Day 7: Licensor provides an estimated fix timeline
- Day 14: A patch is released (critical issues) or scheduled for the next release
- Day 15: Public CVE disclosure (if applicable) and detailed security advisory
If a fix requires longer than 14 days, we will communicate interim mitigations and provide a revised timeline.
Tag Studio does not use HTTP (it runs as a desktop app), so traditional security headers (CSP, HSTS, etc.) are not applicable. The application enforces security through:
- Strict Node.js IPC validation
- Context-bridged API access control in the preload layer
- Renderer process restrictions (no native module access)
LxveAce Tag Studio is a desktop application and is not subject to PCI-DSS, HIPAA, or other cloud/SaaS compliance frameworks. However, users in regulated industries should:
- Encrypt their computers and backups
- Store machine credentials securely
- Audit access to Tag Studio and exported files
- Consult their compliance officer before storing sensitive data in label designs
If you have security questions or concerns, please contact:
Email: security@lxveace.com Web: lxveace.com/security
Last Updated: June 2026