Skip to main content

How do I report a security vulnerability?

Reporting Vulnerabilities

If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

  • Injection vulnerabilities

  • Authentication or session problems

  • Improper access to sensitive data

  • Broken access controls

  • Cross-site scripting

  • Anything from the OWASP Top 10 Project

There are some classes of bugs and common reports that we do not act on:

  • Credentials in a 3rd party's.circleci/config.yml

  • Email spoofing, SPF, DKIM, and DMARC errors

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

  • Inform us as soon as possible.

  • Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).

  • Work with us to close the vulnerability before disclosing it to others.

Bug Bounties

If you have found a bug in production, we hope you share this information with us to help improve the security of the broader internet ecosystem.

CircleCI does not have a bug bounty program, and as such, does not issue bounties for bug reports. We do not offer payments for reporting vulnerabilities.

Additional Resources

CircleCI's Data Security Policy

Related Articles
How to validate a config that uses private Orbs
Why am I seeing the "Could not find a usable config.yml, you may have revoked the CircleCI OAuth app." message
SOC 2 and FedRAMP Reports
How to enable users who are not an organization owner to publish an Orb
How can I report a bug?
Did this answer your question?