Creator TwinLogin
Security

How to report vulnerabilities and how Creator Twin handles sensitive credentials.

This page provides the public security contact path for Creator Twin, the expected reporting format, and the baseline security practices used for Fanvue-connected workflows.

Last updated April 19, 2026Public review page

1. Report a vulnerability

Send security reports through Creator Twin Discord. Include a clear description of the issue, the affected route or feature, steps to reproduce, impact, and any evidence needed to validate the report.

2. Safe reporting expectations

  • Do not access data that is not your own beyond what is necessary to prove the issue.
  • Do not disrupt creator operations, availability, or billing workflows.
  • Do not publicly disclose the issue before we have had a reasonable chance to investigate and fix it.
  • Do not attempt social engineering, phishing, or physical attacks.

3. Security controls

  • OAuth access uses the official Fanvue authorization flow with server-side handling.
  • Secrets are intended to remain server-side and must not be exposed in client code.
  • HTTPS is required for public endpoints and redirect URIs.
  • Session and token data are treated as sensitive credentials.
  • Operational access to creator data should be limited to support and maintenance needs.

4. Credentials

Creator Twin does not ask users for their Fanvue password. Fanvue access is expected to happen only through OAuth, and token handling is designed for server-side use.

5. Incident handling

If we confirm a material security issue, we will investigate, contain the risk, rotate exposed credentials where applicable, and notify affected parties when appropriate.