How do I report a security vulnerability?

Reporting Vulnerabilities

If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

  • Injection vulnerabilities
  • Authentication or session problems
  • Improper access to sensitive data
  • Broken access controls
  • Cross-site scripting
  • Anything from the OWASP Top 10 Project

There are some classes of bugs and common reports that we do not act on:

  • Credentials in a 3rd party's.circleci/config.yml
  • Email spoofing, SPF, DKIM, and DMARC errors

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

  • Inform us as soon as possible.
  • Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
  • Work with us to close the vulnerability before disclosing it to others.

Bug Bounties

If you have found a bug in production, we hope you share this information with us to help improve the security of the broader internet ecosystem.

CircleCI does not have a bug bounty program, and as such, does not issue bounties for bug reports. We do not offer payments for reporting vulnerabilities. 

In the event that a valuable novel discovery is uncovered, CircleCI agents may offer one bundle of swag as a reward at their discretion. We do not provide custom orders or fulfill specific requests. 

Additional Resources

CircleCI's Data Security Policy

Was this article helpful?
1 out of 2 found this helpful



Article is closed for comments.