CircleCI Data Security Policy

This policy is to be read in conjunction with our Terms of Service and Privacy Policy. Nothing in this policy invalidates, overrides or negates our Terms of Service or Privacy Policy or any other agreement between CircleCI and other parties.

Reporting Security Concerns to CircleCI

If you have found a vulnerability in CircleCI, please contact our security team by email at security@circleci.com. If you are reporting a sensitive issue, please encrypt your message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7).

We're confident in our implementation around matters such as email spoofing and DKIM records. However, here are some issues we would be excited to hear about:

• Injection vulnerabilities
• Authentication or session problems
• Improper access to sensitive data
• Broken access controls
• Cross-site scripting
• Anything from the OWASP Top 10 Project

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

• Inform us as soon as possible.
• Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
• Work with us to close the vulnerability before disclosing it to others.

Overview of Security at CircleCI

CircleCI offers both a hosted service that runs on infrastructure we control (SaaS) in a multi-tenant configuration and installed software (Behind the Firewall) that runs in single-tenant installations on infrastructure controlled by our customers. These two modalities have very different security considerations, particularly in regards to access by CircleCI personnel. For specific concerns related to running behind your firewall, see our Enterprise security documentation. In both cases, CircleCI takes security very seriously.

CircleCI approaches security first and foremost to protect our customer’s intellectual property and sensitive keys, tokens, and other sensitive secrets. We employ a variety of safeguards to isolate and encrypt customer data and use a tiered security model to protect sensitive customer information such as deployment credentials. We employ layers of access control to prevent unauthorized access to our underlying infrastructure. We also implement application-level security to ensure access to build information and code goes only to those who are authorized.

The primary areas of our security practices related to customer data are:

• Source Code
• Runtime Isolation
• Environment Variables (secrets)
• Console Output and Artifacts

Source Code Security

We use oAuth to GitHub and/or Bitbucket as our primary authentication mechanism and mirror the permissions to code in those systems. If a user has read/write access to a repository in GitHub, they have access to the configuration and information about that repository in CircleCI.

When you sign up for CircleCI, you tell GitHub or Bitbucket that you are authorizing us to check out your private repositories. You may revoke this permission at any time through your GitHub settings page or Bitbucket settings page by removing CircleCI's Deploy Keys and Service Hooks from your repository's Admin page.

Access by our systems to your source code is always encrypted over the wire using SSH and/or HTTPS.

To run your tests, we check out your code from GitHub or Bitbucket. In many cases, we may cache the code within our infrastructure. In both cases, access to the code and all cached versions of code is based on user tokens that match user permissions from GitHub or BitBucket.

Runtime Isolation

When we run your tests on our own machines, we run them in a secure sandbox, either a Docker/LXC container or a virtual machine. You are unable to access another customer's code or runtime environment and they are unable to access yours.

Each sandbox is firewalled, and it is not possible to access a sandbox from another sandbox, or from the Internet at large. Each job starts in a fresh sandbox, and each sandbox is destroyed after each job, preventing leaking of secrets or other sensitive information from inside the runtime to other jobs.

All communication between our systems and the runtime environment are encrypted over the wire using SSH and/or HTTPS.

Environment Variables (Secrets)

Environment variables are the typical mechanism most of customers use to store and provide various tokens, keys, and other secrets to the runtime environment for doing deployments, integrating with 3rd-party systems, etc. We store all environment variables encrypted at rest associated with a specific repository in source control. Access to environment variables is restricted only to those with access to the repo associated with the environment variables. Environment variables are unencrypted and injected into the runtime environment when each job starts and disappear after the sandbox running the job disappears after the job if finished.

Console Output and Artifacts

Console output of your jobs is stored in our databases and made available only to those with read access to the underlying repositories. Artifacts are stored in private S3 buckets and available only by authenticated users with read access to the underlying repository. In both cases, encryption is employed over the wire using SSH and/or HTTPS.

Canceling Your Account or Deleting Data

If you need your account canceled and/or your data deleted, please contact us at sayhi@circleci.com.

Partners with access to your source code

CircleCI is built on Amazon EC2, and we check out your code onto Amazon's EC2 machines. If the EC2 service becomes vulnerable, your source code may also become vulnerable to accidental disclosure. Amazon's Security Center discusses their security in great detail.

Other partners

A small number of partners, who we choose not to enumerate for security reasons, have access to small amounts of our customer data. We constantly audit the data that is provided to them to ensure that this could not be used to gain access to your account or your code.

Security Researcher Hall of Fame

We maintain a Security Researcher Hall of Fame to thank individuals who have discovered medium or high vulnerabilities and worked with us to resolve them.

• Akaash Mukesh Sharma (2017-09-26)
• Piyush kumar (2017-09-20)
• Yeasir Arafat (2017-09-15)
• Anirban Singha (2017-09-26)
• Harry M. Gertos (2017-07-20)
• Pal Patel (2017-06-21)
• Markus Schirp (2016-01-07)
• Danyal Zafar (2015-08-08)
• Jason Marmon (2014-12-15)
• Aditya Agrawal (2014-04-07)
• Kevin McCarthy (2014-04-07)
• J.m. Gazzaly (2014-03-27)
• Ashishkumar B. Dhaduk (2014-03-26)
• Muhammad Talha Khan (2014-03-26)
• Scott Glossop (2014-03-26)
• S. Venkatesh (2014-03-26)
• Nitesh Kumar Shilpkar (2014-03-25)
• Osanda Malith Jayathissa (2014-03-21)
• Rodolfo Godalle, Jr. (2014-03-15)
• Jayvardhan Singh (2014-02-03)

To be included on this list, responsibly disclose a security report to us, and provide adequate time to fix the issue. We'd be happy to link to your professional website and/or send you CircleCI schwag.

Feedback

We take data security matters seriously. If you have a concern or suggestion to improve our security (or improve this policy) please contact us at security@circleci.com.