Responsible Disclosure Policy

CycloudForte Ltd ("CycloudForte", "we", "us", or "our") is a cybersecurity company. We hold our own systems to the same standard we expect of our clients. We value the work of security researchers and the wider community in helping us keep our products, platforms, and infrastructure secure. If you believe you have found a security vulnerability in any CycloudForte system, we want to hear from you, and we commit to working with you in good faith to resolve it.

This policy applies to security vulnerabilities discovered in systems owned or operated by CycloudForte, including:

In Scope

Our primary website (cycloudforte.com), the Check security health tool (check.cycloudforte.com), the ArcheaOne fraud intelligence platform, the Aegis and Argus products, and any other CycloudForte-operated web application, API, or service.

Out of Scope

Third-party services we use but do not control (for example, our payment processor, email provider, or hosting platform — please report issues in those directly to the relevant vendor), social engineering of CycloudForte staff or clients, physical attacks against our offices or personnel, denial-of-service (DoS/DDoS) testing, volumetric attacks, spam, and findings from automated scanners that have not been manually verified and shown to be exploitable.

Please email your report to securing@cycloudforte.com (or info@cycloudforte.com if you prefer). To help us triage and resolve the issue quickly, include where possible:

What to Include

A clear description of the vulnerability and the system affected, the steps required to reproduce it (proof-of-concept code, screenshots, or a short screen recording are very helpful), the potential impact as you understand it, and any suggested remediation if you have one. Please report one vulnerability per email so we can track each issue separately.

Encryption

If your report contains sensitive details, let us know and we will arrange a secure channel before you share the specifics.

We ask that, while investigating, you act in good faith and within the law. Specifically, please:

Do

Give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly or to any third party. Make every effort to avoid privacy violations, degradation of our services, and destruction or modification of data. Only interact with accounts you own or have explicit permission to test. Stop testing and notify us immediately if you encounter any user data (personal data, financial data, credentials, or similar).

Don't

Do not access, modify, or delete data that does not belong to you. Do not run automated scanning at a volume that could degrade our services. Do not publicly disclose the vulnerability before we have confirmed it is resolved. Do not use the vulnerability for any purpose other than verifying and reporting it.

When you report a vulnerability in good faith under this policy, we commit to:

Acknowledgement

We will acknowledge receipt of your report within 3 business days.

Communication

We will keep you informed of our progress as we investigate and remediate, and we will let you know when the issue is resolved.

Safe Harbour

We will not pursue or support legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider activity conducted consistent with this policy to be authorised. If legal action is initiated by a third party against you for activity that complied with this policy, we will make it known that your actions were conducted in compliance with our policy.

Recognition

With your permission, we are happy to publicly acknowledge your contribution once the issue is resolved. CycloudForte does not currently operate a paid bug-bounty programme, but we deeply appreciate and recognise the researchers who help us improve.

These are the timeframes we aim to meet, measured from the point we confirm a valid vulnerability: acknowledgement within 3 business days, an initial assessment and severity rating within 10 business days, and remediation prioritised by severity — critical issues addressed as an emergency, high-severity issues within 30 days, and medium and low issues folded into our normal release cycle. We will always communicate if a fix will take longer than expected.

This policy is provided to give security researchers clear guidance on reporting vulnerabilities to CycloudForte. It does not grant permission to act in any manner that is inconsistent with the law or that would cause CycloudForte to be in breach of any of its legal or contractual obligations. CycloudForte reserves the right to amend this policy at any time.

CycloudForte Ltd Security reports: securing@cycloudforte.com General enquiries: info@cycloudforte.com Website: www.cycloudforte.com