Security Researcher Hall of Fame

We maintain a Security Researcher Hall of Fame to thank individuals who have discovered medium or high vulnerabilities and worked with us to resolve them.

James Bell
March 10, 2022
Maara Jilek
May 5, 2020
Wafa Abbas
Feb. 8, 2019
Akaash Mukesh Sharma
Sept. 26, 2017
Piyush kumar
Sept. 20, 2017
Yeasir Arafat
Sept. 15, 2017
Markus Schirp
Jan. 7, 2016
Jason Marmon
Dec. 15, 2014
Kevin McCarthy
April 7, 2014
Ashishkumar B. Dhaduk
March 26, 2014
Scott Glossop
March 26, 2014
Nitesh Kumar Shilpkar
March 25, 2014
Rodolfo Godalle, Jr.
March 15, 2014
Anirban Singha
Sept. 26, 2017
Harry M. Gertos
Sept. 20, 2017
Pal Patel
June 21, 2017
Danyal Zafar
Aug. 8, 2015
Aditya Agrawal
April 7, 2014
J.M. Gazzaly
March 27, 2014
Muhammad Talha Khan
March 26, 2014
S. Venkatesh
March 26, 2014
Osanda Malith Jayathissa
March 21, 2014
Jayvardhan Singh
Feb. 3, 2014

To be included on this list, responsibly disclose a security report to us, and provide adequate time to fix the issue.
We’d be happy to link to your professional website and/or send you CircleCI swag.

Have a security concern about CircleCI?

If you find a serious security issue such as any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

  • Injection vulnerabilities
  • Authentication or session problems
  • Improper access to sensitive data
  • Broken access controls
  • Cross-site scripting
  • Anything from the OWASP Top 10 Project
  • Email spoofing, SPF, DKIM, and DMARC errors

There are some classes of bugs and common reports that we do not act on:

  • Credentials in a 3rd party's .circleci/config.yml

Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:

  • Inform us as soon as possible.
  • Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
  • Work with us to close the vulnerability before disclosing it to others.

CircleCI does not have a bounty program.

We do not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities in the course of your work that you share them with us so we can improve the health of the internet ecosystem.

Report your security concerns to CircleCI.

If you have found a vulnerability in CircleCI, please contact our security team by email at

If you are reporting a sensitive issue, please encrypt your message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7)