Security policy

If we lose your code, we're out of business.

Code security (Updated: Mar 17, 2014)

If CircleCI ever disclosed your code to an attacker, whether through our own error or through the error of one of our partners, we would very likely be out of business. So the security of your code base is not just important to us, it is essential to the survival of our company.

CircleCI staff doesn't read your code!

In the normal course of events, CircleCI staff will never read your code! Occasionally, you might ask us for support, or to look into a problem you experience, in which it would be useful for our engineers to read your code. We will only do this if explicitly granted permission to do so as part of a support request, and will never do it otherwise. Outside of a support context, no human reads your code.

However, we occasionally do automated analysis of active projects to provide data over what features and services to provide next. We only analyze projects which are already being tested on CircleCI. For example, when looking at deployment, we ran scripts which told us the percentage of active projects which have Capfiles in their repositories.

Currently, only key employees have the ability to check out your code, including the founders and senior engineers. To reiterate, we would only do so in response to a support request, with explicit permission. Contractors will never be given access to customer code.

Note that this is a change from our early policies, when we believed that customers wanted our help in setting up their CI with CircleCI. Early feedback, however, was unanimous: never ever read customer code unless asked to. So that is our rule!

Our security model

When we run your tests, we run them in a sandbox, meaning you are unable to access another customer's code, and they are unable to access yours. We never ever run any customer code in any context which is not sandboxed, or which allows access to other customer code.

Each sandbox is firewalled, and it is not possible to access a sandbox from another sandbox, or from the internet at large.

CircleCI's founders and employees are well versed in full-stack security. Paul worked on Mozilla's Javascript engine, where every bug is a potential security bug; and was a principal engineer at Lookout, the premiere Android security company. Before that, he did his PhD in static analysis, which kept him well versed with the latest security research and vulnerabilities. Allen was a lead developer at Crossroads, where he provided security audits for their full-stack SAN solution. His experience includes work on Storage Area Networks, Linux kernel drivers and medical imaging software, all of which have an extremely security-oriented focus.

We know what we're doing, and constantly question and audit our sensitive code, and solicit outside feedback about our security.

GitHub authorization

To run your tests, we need to check out your code from GitHub. When you sign up for CircleCI, you tell GitHub that you are authorizing us to check out your private repositories. You may revoke this permission at any time through your GitHub application settings page and by removing CircleCI's Deploy Keys and Service Hooks from your repositories' Admin pages.

While CircleCI allows you to selectively test your projects, note that GitHub's permissions model is "all or nothing" — CircleCI gets permission to access all of a user's repositories or none of them. We have asked GitHub to provide finer-grained permissions, but they have indicated it will not be completed in the short term. Please contact GitHub if this is important to you.

Canceling your account

We do not currently have a button to delete your account, but we will be adding one soon. If you need your account canceled and your data deleted, please contact us at sayhi@circleci.com. To remove CircleCI's access to your GitHub account, you can remove it via your GitHub application settings page. You should also remove CircleCI's Deploy Keys and Service Hooks from your repositories' Admin pages.

Disclosure

If you have found a vulnerability in CircleCI, please contact our security team by email at security@circleci.com. We will do everything in our power to respond and fix the problem immediately. If possible, please encrypt your message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7).

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

inform us as soon as possible,
test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this),
work with us to close the vulnerability before disclosing it to others.

Security Researcher Hall of Fame

We maintain a Security Researcher Hall of Fame to thank individuals who have discovered vulnerabilities and worked with us to resolve them.

Markus Schirp (2016-01-07)
Danyal Zafar (2015-08-08)
Jason Marmon (2014-12-15)
Aditya Agrawal (2014-04-07)
Kevin McCarthy (2014-04-07)
J.m. Gazzaly (2014-03-27)
Ashishkumar B. Dhaduk (2014-03-26)
Muhammad Talha Khan (2014-03-26)
Scott Glossop (2014-03-26)
S. Venkatesh (2014-03-26)
Nitesh Kumar Shilpkar (2014-03-25)
Osanda Malith Jayathissa (2014-03-21)
Rodolfo Godalle, Jr. (2014-03-15)
Jayvardhan Singh (2014-02-03)

To be included on this list, responsibly disclose a security report to use, and provide adequate time to fix the issue. We'll link to your professional website, and send you a CircleCI t-shirt.

Partners with access to your source code

CircleCI is built on Amazon EC2, and we check out your code onto Amazon's EC2 machines. If the EC2 service becomes vulnerable, your source code may also become vulnerable to accidental disclosure. Amazon's Security Center discusses their security in great detail.

Other partners

A small number of partners, who we choose not to enumerate for security reasons, have access to small amounts of our customer data. We constantly audit the data that is provided to them to ensure that this could not be used to gain access to your account or your code.

Feedback

We take security incredibly seriously. If you have any suggestions for how we could improve our security, or improve this policy, please contact us at security@circleci.com. We will act immediately to deal with the issue.

Adam Haney

CTO at Bellhops

“Whether I'm consulting for other businesses or starting a new project myself CircleCI is always on my checklist for setting up the engineering team's testing infrastructure.”

Matt Kent

Head of Engineering at Sprig

“CircleCI is an excellent product and was the clear winner over the alternatives when I tried them all out: I was able to get a green build the fastest and hit the fewest bumps.”

Calvin-French Owen

CTO/Co-founder at Segment

“CircleCI has saved us a ton of time from maintaining our own CI, and we love the ability to both dynamically scale the number of containers and debug manually via SSH when first setting up a project. It's a great tool.”

John Duff

Director of Engineering at Shopify

“CircleCI lets us be more agile and ship product faster. We can focus on delivering value to our customer, not maintaining CI infrastructure.”

Arthur Neves

Developer at Shopify

“One of my favorite things about CircleCI is that their team really cares about making sure their customers get maximum value out of their product.”

Ian Lotinsky

CTO at LearnZillion

“CircleCI makes our products better by allowing us to spend more energy testing them and less time managing a home-grown testing infrastructure.”

Hemal Shah

Product Manager for Mobile Developer Tools at Fabric

“fastlane is built around the principle of continuous deployment. Having a partner like CircleCI that is consistent and reliable enables us to not only deliver the best value to our customers, but deliver it with total confidence.”