Reporting an Orb

When should I report an orb?

There are two reasons to report an orb.

  1. Malicious Orbs: The orb’s content poses a threat to the orb’s users. Examples may include an orb that mines cryptocurrency, or that uploads credentials to a malicious URL.
  2. Accidental Leakage of Private Data: The orb’s content poses a threat to the orb author. For example, a user might have hardcoded AWS keys inside their orb during development, and forgotten to remove it when they published the orb.

What happens after I report an orb?

Your orb report will be reviewed by the CircleCI security team as soon as possible, and responded to in due course.

Malicious orbs will be removed immediately.

Orbs accidentally leaking private data will be weighed by the potential harm to the orb’s users (from breaking their builds, or transitively removing the orbs they’ve authored) and the harm to the orb’s author.

In case of the latter, it’s important to note that once the orb is published, it is public. CircleCI has no way to determine whether a third party has accessed the orb, however briefly it was published. A user who has published a credential or other secret into an orb should consider themselves compromised and start rolling credentials.

How do I report an orb?

Contact our security team by following the instructions here (including use of encryption keys if you are reporting a serious security vulnerability): https://circleci.com/security/

It’s helpful to include a link to the orb you’re reporting and some details about why this orb qualifies for review.