CircleCI Security

At CircleCI, our top concern is protecting our users’ intellectual property
and sensitive secrets such as keys, tokens, and credentials.

Have a security concern about CircleCI?

If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

  • Injection vulnerabilities
  • Authentication or session problems
  • Improper access to sensitive data
  • Broken access controls
  • Cross-site scripting
  • Anything from the OWASP Top 10 Project

There are some classes of bugs and common reports that we do not act on:

  • Credentials in a 3rd party's .circleci/config.yml
  • Email spoofing, SPF, DKIM, and DMARC errors

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

  • Inform us as soon as possible.
  • Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
  • Work with us to close the vulnerability before disclosing it to others.

CircleCI does not have a bounty program.

We do not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities in the course of your work that you share them with us so we can improve the health of the internet ecosystem.

Report your security concerns to CircleCI.

If you are reporting a sensitive issue, please encrypt your message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7)

Email security@circleci.com
close

Thank You for Submitting Your Info


You should receive an automated response notifying you that we received your info. Someone from our Enterprise team will be reaching out to you shortly.


CircleCI Success Logo