🔐 Security Policy for miniCycle
Last Updated: February 16, 2026
Version: 1.0
Reporting a Vulnerability
If you discover a security vulnerability in miniCycle, please report it responsibly:
- Email: admin@sparkincreations.com
- Subject line:
[SECURITY] miniCycle vulnerability report
Please do not open a public GitHub issue for security vulnerabilities. Use email for responsible disclosure.
What to Include
When reporting a vulnerability, please include:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected version(s) of miniCycle
- Any suggested fixes (optional but appreciated)
Response Timeline
- Acknowledgment: Within 3 business days
- Assessment: Within 7 business days
- Fix (if confirmed): As soon as reasonably possible, depending on severity
- Disclosure: Coordinated with the reporter after a fix is deployed
Security Measures
miniCycle employs the following security measures:
- Content Security Policy (CSP) — Strict script and resource loading rules with SHA-256 hashes for inline scripts
- XSS Protection — Input sanitization and HTML escaping across all user-facing outputs
- Security Headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS
- No External Dependencies — Self-hosted fonts and assets; no third-party scripts except contact form submission
- Import Validation — Imported .mcyc files are sanitized and validated before processing
- Local-Only Data — All user data stored in browser localStorage; no server-side storage or transmission
Scope
This security policy covers:
- The miniCycle web application at minicycle.app
- The miniCycle source code at GitHub
Third-party dependencies (listed in package.json) are maintained by their respective owners.
© sparkinCreations • miniCycle™
Security is a core principle.