Responsible Disclosure

We take security seriously and appreciate reports from researchers and customers. If you believe you've found a vulnerability affecting Cichocki systems or websites, please report it responsibly using the process below.

Report a vulnerability

• Submit a vulnerability report →
• Or email: security@cichocki.com

Scope

The following assets are in scope for responsible disclosure:

• In scope: www.cichocki.com, www.threadsync.io, control.threadsync.io, magic.threadsync.io, and any API endpoints served under these domains
• Out of scope: Third-party services (Calendly, Google Workspace, Formspree), physical security, social engineering, denial-of-service attacks, and any testing that degrades service for other users

Guidelines

• Do not access, modify, or delete customer or client data.
• Do not run denial-of-service or automated scanning tests without prior written approval.
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate.
• Provide clear reproduction steps, impact assessment, and relevant logs or screenshots.
• Act in good faith to avoid privacy violations, data destruction, and service disruption.

What to include

• Affected URL, endpoint, or component
• Steps to reproduce
• Expected vs. actual behavior
• Severity assessment (your estimate of impact)
• Any proof-of-concept (non-destructive only)
• Your preferred contact information for follow-up

Response timeline

• Acknowledgment: Within 2 business days of receipt
• Triage & severity assessment: Within 5 business days
• Remediation timeline: Communicated within 10 business days
• Coordinated disclosure: We request a minimum of 90 days before public disclosure to allow adequate remediation time

Safe harbor

Recognition

We are grateful to the security community. With your permission, we may acknowledge your contribution on this page after the vulnerability has been remediated. We do not currently operate a paid bug bounty program.