🔐 Security Policy for miniCycle
Last Updated: May 2, 2026
Version: 1.1
Reporting a Vulnerability
If you discover a security vulnerability in miniCycle, please report it responsibly:
- Email: admin@sparkinCreations.com
- Subject line:
[SECURITY] miniCycle vulnerability report
Please do not open a public GitHub issue for security vulnerabilities. Use email for responsible disclosure.
What to Include
When reporting a vulnerability, please include:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected version(s) of miniCycle
- Any suggested fixes (optional but appreciated)
Response Timeline
- Acknowledgment: Within 3 business days
- Assessment: Within 7 business days
- Fix (if confirmed): As soon as reasonably possible, depending on severity
- Disclosure: Coordinated with the reporter after a fix is deployed
Security Measures
miniCycle employs the following security measures:
- Content Security Policy (CSP) — Strict script and resource loading rules with SHA-256 hashes for inline scripts
- XSS Protection — Input sanitization and HTML escaping across all user-facing outputs
- Security Headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS
- No External Dependencies — Self-hosted fonts, assets, and scripts; no third-party analytics, advertising, or tracking libraries. Marketing pages post anonymous click and page-view events to a self-hosted Netlify Function on our own infrastructure
- Import Validation — Imported .mcyc files are validated, sanitized, and rejected when they do not match miniCycle's expected structure. As a general best practice, only import routine files from people you trust
- Local-Only Data — All user data stored in browser localStorage; no server-side storage or transmission
Scope
This security policy covers:
- The miniCycle web application at minicycle.app
- The miniCycle source code at GitHub
Third-party dependencies (listed in package.json) are maintained by their respective owners.
© sparkinCreations • miniCycle™
Security is a core principle.