What happens after I report an orb?
Your orb report will be reviewed by the CircleCI security team as soon as possible, and responded to in due course.
Malicious orbs will be removed immediately.
Orbs accidentally leaking private data will be weighed by the potential harm to the orb’s users (from breaking their builds, or transitively removing the orbs they’ve authored) and the harm to the orb’s author.
In case of the latter, it’s important to note that once the orb is published, it is public. CircleCI has no way to determine whether a third party has accessed the orb, however briefly it was published. A user who has published a credential or other secret into an orb should consider themselves compromised and start rolling credentials.
How do I report an orb?
Contact our security team by following the instructions here (including use of encryption keys if you are reporting a serious security vulnerability):
It’s helpful to include a link to the orb you’re reporting and some details about why this orb qualifies for review.