Qualifying vulnerabilities that are found in our sites and reported to us are eligible for a reward based on the category they fall into, based on severity. All reward amounts are paid in US dollars and payment is made via PayPal or bank wire transfer only. Reflected / DOM based XSS vulnerabilities, post authentication issues, file path disclosures, directory listings, CSRF, version disclosures and other similar issues are NOT covered by our bounty program. We of course, reserve the right to refuse any application.
Vulnerabilities that are reported to us remain the property of the researcher and will not be claimed by CircleHD. If the vulnerability exists in a third-party component used on one of our sites, CircleHD will contact the relevant authors of the component with the vulnerability details, in order to have the issue fixed.
CircleHD maintains a number of sites and a vulnerability reported in one site is considered to be reported for all sites, meaning that a researcher cannot claim a bounty for the same vulnerability across multiple sites. The domains that we maintain that are eligible for the Bug Bounty are listed below. Note that our sub-domains are included as well (i.e. docs.circlehd.com, etc.).
Vulnerability researchers are requested to submit their finds via security at *.circlehd.com with all pertinent details along with the steps needed to reproduce the finding.
The CircleHD Bug Bounty program does not give free license to attack any of our Internet sites and abuse will lead to connections/accounts being blocked and/or disabled. Abuse of our systems (such as polluting our forums or bugtrackers) will be grounds for immediate disqualification from any bounties.
For more information, please read about our Bug Bounty Program Insights blog post.