C+Cyber+Security desk
← BACK
§ — Responsible disclosureEFFECTIVE JUNE 5, 2026

Report a vulnerability.

Cyber+ is built for the security community. If you find a vulnerability, we want to know — and we want to make it easy for you to tell us.


How to report

Email security@gocyberplus.com with enough detail to reproduce. PGP optional but appreciated; key on request.

What helps us:

  • Steps to reproduce (curl / code / annotated screenshots).
  • Affected URL or component.
  • Impact: what an attacker could achieve, not just what behaves oddly.
  • Your suggested fix (optional, but we'll credit you if you give one).

What we promise

  • Acknowledgement within 1 business day.
  • Triage and severity assessment within 5 business days.
  • Regular updates while we investigate.
  • Public credit at our hall of fame when you want it, with the disclosure timeline you negotiate.
  • No legal action against good-faith research that stays in scope and follows this policy.

Scope

In scope:

  • Anything under gocyberplus.com and our official mobile apps (iOS, Android).
  • Our public API endpoints.
  • Authentication, authorization, payments, abuse paths.

Out of scope (do not test):

  • Third-party services we use (Supabase, Vercel, Resend, Stripe, Cloudflare). Report those upstream.
  • Denial-of-service tests, volumetric attacks, or sustained automated scans.
  • Physical, social-engineering, or phishing of staff.
  • Spam, vulnerability reports about "missing" security headers that don't have a real attack story (we want to hear about real risk).
  • Self-XSS, clickjacking on pages with no sensitive actions, and other no-impact reports.

Severity guide

Roughly:

  • Critical — RCE, mass account takeover, data exfiltration of all users, payment fraud.
  • High — Account takeover requiring user interaction, privilege escalation to staff role, server-side SSRF.
  • Medium — Stored XSS in a post, broken authorization on a single resource, sensitive info leak (private posts, draft titles).
  • Low — Reflected XSS that requires unusual user behavior, info disclosure of non-sensitive metadata.
  • Informational — Hardening recommendations, missing best-practice headers without a clear exploit path.

Bounty

We don't run a paid bounty yet. We do offer swag, credit, and a written recommendation. When we're bigger we'll formalize a bounty program; until then, thank you for the goodwill.

Hall of fame

Security researchers who've responsibly disclosed an issue to Cyber+:

  • None yet — you could be first.

Operational security

For day-to-day questions about how we operate:

  • All data at rest is encrypted (Supabase Postgres on AWS RDS).
  • All data in transit uses TLS 1.2+.
  • We do not store user passwords in plaintext (Supabase Auth uses bcrypt-equivalent hashing).
  • Service-role and other secret credentials are never embedded in client code.
  • We log access requests for security review.

Questions? security@gocyberplus.com.