Security is core to our business.
Every day, customers trust us with access to their source code and other secrets. We work hard to earn that trust by baking security into our platform at every point in the systems development lifecycle, from including Security engineers from the design phase on, through to quarterly third-party audits of our production systems. Our hard work enables CircleCI customers to develop amazing products safely and reliably. Anything that prevents that, therefore, is a top concern for us. Most of the time, that work is making sure we build our software securely so we can build yours securely too. Sometimes, however, we work to prevent people from misusing our platform in a way that harms our customers.
This includes those who take advantage of our free plan in order to mine cryptocurrency.
Abusing CI to mine cryptocurrency
As is common in our space, we provide free plans to customers to allow them a chance to evaluate our platform. We also provide free compute to the open source community. However, our industry has seen increasing numbers of actors using free plans like these to mine cryptocurrency, rather than build software. The mechanics of mining cryptocurrency varies, but they all usually involve exchanging some value for a proof of work provided by the miner. In this case, they are using resources we provide for the open source community and instead using them to perform work that they get paid for.
Our platform is protected by a cross-functional team of security experts, operations engineers, data scientists, and developers whose ongoing work comprises spotting and eradicating abuse of our platform. This covers any use of our platform that violates our terms of service, including mining cryptocurrency. Using sophisticated analyses, we spot groups that are using our platform to mine cryptocurrency, as well as prevent the organizations deemed likely to be cryptominers from signing up in the first place.
We have banned over 80,000 abusive users of our platform this year to date, and as our detection methods improve, we expect to continue to see abuse of our platform decline. We also work closely with other companies in the CI space to share details of known abusive organizations, as well as their attack techniques and how we detect them. By continually learning from each other, we are constantly adding to the toolset we have available to eradicate abuse of our platform.
Thank you for keeping CircleCI safe
To anyone that has reported the possibility of cryptomining on our platform, thank you! We’re aware of it and confident in our implementation. Additionally, we’d love to hear about any other security vulnerabilities you may find – email us at firstname.lastname@example.org.
Join our team
Does working on this sound like an amazing job? If so, we have a Senior Threat Detection Engineer opening for someone amazing who will work on this full time. For other open roles, see our Careers page.