Reporting Vulnerabilities
If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.
- Injection vulnerabilities
- Authentication or session problems
- Improper access to sensitive data
- Broken access controls
- Cross-site scripting
- Anything from the OWASP Top 10 Project
There are some classes of bugs and common reports that we do not act on:
- Credentials in a 3rd party's
.circleci/config.yml
- Email spoofing, SPF, DKIM, and DMARC errors
Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:
- Inform us as soon as possible.
- Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
- Work with us to close the vulnerability before disclosing it to others.
Bug Bounties
If you have found a bug in production, we hope you share this information with us to help improve the security of the broader internet ecosystem.
CircleCI does not have a bug bounty program, and as such, does not issue bounties for bug reports. We do not offer payments for reporting vulnerabilities.
In the event that a valuable novel discovery is uncovered, CircleCI agents may offer one bundle of swag as a reward at their discretion. We do not provide custom orders or fulfill specific requests.
Additional Resources
CircleCI's Data Security Policy
Comments
Article is closed for comments.