Bug bounty Program

We at CircleHD regularly conduct vulnerability research and are proponents of coordinated disclosure. Although we make every effort to secure our presence on the Internet, there are inevitably issues that escape our notice and for those individuals that find vulnerabilities in our sites before we do, we have implemented the CircleHD Bug Bounty program.

We are currently not offering any bug bounty for Wordpress or any third party libraries.

Qualifying vulnerabilities that are found in our sites and reported to us are eligible for a reward based on the category they fall into, based on severity. All reward amounts are paid in US dollars and payment is made via PayPal or bank wire transfer only. Reflected / DOM based XSS vulnerabilities, post authentication issues, file path disclosures, directory listings, CSRF, version disclosures and other similar issues are NOT covered by our bounty program. We of course, reserve the right to refuse any application.

Vulnerabilities that are reported to us remain the property of the researcher and will not be claimed by CircleHD. If the vulnerability exists in a third-party component used on one of our sites, CircleHD will contact the relevant authors of the component with the vulnerability details, in order to have the issue fixed.

CircleHD maintains a number of sites and a vulnerability reported in one site is considered to be reported for all sites, meaning that a researcher cannot claim a bounty for the same vulnerability across multiple sites. The domains that we maintain that are eligible for the Bug Bounty are listed below. Note that our sub-domains are included as well (i.e. docs.circlehd.com, etc.).

*.circlehd.com excluding those serviced by third-party service providers or CNAMED in DNS

Vulnerability researchers are requested to submit their finds via security at *.circlehd.com with all pertinent details along with the steps needed to reproduce the finding.

The CircleHD Bug Bounty program does not give free license to attack any of our Internet sites and abuse will lead to connections/accounts being blocked and/or disabled. Abuse of our systems (such as polluting our forums or bugtrackers) will be grounds for immediate disqualification from any bounties.

For more information, please read about our Bug Bounty Program Insights blog post.

Report Vulnerabilities

Please only use your business email. Public email addresses such as gmail, outlook gets blocked by our spam filter.