How to report
Email security@gocyberplus.com with enough detail to reproduce. PGP optional but appreciated; key on request.
What helps us:
- Steps to reproduce (curl / code / annotated screenshots).
- Affected URL or component.
- Impact: what an attacker could achieve, not just what behaves oddly.
- Your suggested fix (optional, but we'll credit you if you give one).
What we promise
- Acknowledgement within 1 business day.
- Triage and severity assessment within 5 business days.
- Regular updates while we investigate.
- Public credit at our hall of fame when you want it, with the disclosure timeline you negotiate.
- No legal action against good-faith research that stays in scope and follows this policy.
Scope
In scope:
- Anything under
gocyberplus.comand our official mobile apps (iOS, Android). - Our public API endpoints.
- Authentication, authorization, payments, abuse paths.
Out of scope (do not test):
- Third-party services we use (Supabase, Vercel, Resend, Stripe, Cloudflare). Report those upstream.
- Denial-of-service tests, volumetric attacks, or sustained automated scans.
- Physical, social-engineering, or phishing of staff.
- Spam, vulnerability reports about "missing" security headers that don't have a real attack story (we want to hear about real risk).
- Self-XSS, clickjacking on pages with no sensitive actions, and other no-impact reports.
Severity guide
Roughly:
- Critical — RCE, mass account takeover, data exfiltration of all users, payment fraud.
- High — Account takeover requiring user interaction, privilege escalation to staff role, server-side SSRF.
- Medium — Stored XSS in a post, broken authorization on a single resource, sensitive info leak (private posts, draft titles).
- Low — Reflected XSS that requires unusual user behavior, info disclosure of non-sensitive metadata.
- Informational — Hardening recommendations, missing best-practice headers without a clear exploit path.
Bounty
We don't run a paid bounty yet. We do offer swag, credit, and a written recommendation. When we're bigger we'll formalize a bounty program; until then, thank you for the goodwill.
Hall of fame
Security researchers who've responsibly disclosed an issue to Cyber+:
- None yet — you could be first.
Operational security
For day-to-day questions about how we operate:
- All data at rest is encrypted (Supabase Postgres on AWS RDS).
- All data in transit uses TLS 1.2+.
- We do not store user passwords in plaintext (Supabase Auth uses bcrypt-equivalent hashing).
- Service-role and other secret credentials are never embedded in client code.
- We log access requests for security review.
Questions? security@gocyberplus.com.