Responsible Disclosure
We take the security of our systems seriously. If you discover a vulnerability, please let us know as soon as possible so we can fix it.
Scope
This policy applies to all systems operated by cycleplate.com, including the website, web shop and connected integrations.
How to report a vulnerability
Send your report to our security team. Include the type of vulnerability, the affected URL or component, reproduction steps, and — if possible — a suggested fix.
If the address above doesn't work, use info@cycleplate.com with "Security" in the subject line.
Rules of engagement
- Do not share the vulnerability with others until it has been resolved.
- Do not exploit the vulnerability, e.g. by downloading more data than necessary to demonstrate the issue.
- Do not modify or delete data in our systems.
- Do not use attacks involving physical security, social engineering, DDoS, spam or third-party applications.
- Provide enough information to reproduce the vulnerability so we can fix it.
Our commitment
- We will respond within 5 business days with an assessment and an expected resolution timeline.
- We will keep you updated on our progress.
- We will not take legal action against you if you follow the rules above.
- In consultation, we can credit you in our hall of fame as thanks for your report.
Out of scope
- Vulnerabilities in third-party systems (e.g. Shopify, hosting, Meta) — please report those directly to the relevant party.
- Missing security headers without demonstrable impact.
- Reports from automated scanners without manual verification.