Reporting Vulnerabilities

If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

• Injection vulnerabilities
• Authentication or session problems
• Improper access to sensitive data
• Broken access controls
• Cross-site scripting
• Anything from the OWASP Top 10 Project

There are some classes of bugs and common reports that we do not act on:

• Credentials in a 3rd party's.circleci/config.yml
• Email spoofing, SPF, DKIM, and DMARC errors

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

• Inform us as soon as possible.
• Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
• Work with us to close the vulnerability before disclosing it to others.

Bug Bounties

If you have found a bug in production, we hope you share this information with us to help improve the security of the broader internet ecosystem.

CircleCI does not have a bug bounty program, and as such, does not issue bounties for bug reports. We do not offer payments for reporting vulnerabilities. 

In the event that a valuable novel discovery is uncovered, CircleCI agents may offer one bundle of swag as a reward at their discretion. We do not provide custom orders or fulfill specific requests. 

Additional Resources

CircleCI's Data Security Policy

• How CircleCI handles security