Circonus Responsible Disclosure Program

Effective May 2020

Circonus takes the protection of our systems and our customers’ information very seriously. As a part of our security efforts, this Responsible Disclosure Program (the “Program”) is intended to help minimize the impact of any security flaw in a product, system or asset belonging to Circonus (collectively, “System”). Towards this objective, we appreciate the helpful role that independent security researchers can play in our security efforts and encourage security researchers to contact us with reports of potential vulnerabilities identified in our software. If you believe you have identified a potential security vulnerability, please submit it pursuant to the terms of this Program. Thank you in advance for your submission. Please note, Circonus does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Responsible Disclosure Program Rules

Researchers shall disclose potential vulnerabilities in accordance with the following rules:

  1. Do not engage in any activity that can potentially or actually cause harm to Circonus, our customers, or our employees.

  2. Do not engage in any activity that can potentially or actually corrupt, destroy, stop or degrade any System or data.

  3. Do not conduct any kind of physical or electronic attack Circonus personnel, System, data or data center.

  4. Do not interact with any Circonus customer or any customer’s data or account.

  5. Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, or System resides, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

  6. No automated scanning or testing.

  7. Do not store, share, modify, delete, compromise or destroy Circonus or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Circonus. This step protects any potentially vulnerable data, and you.

  8. Submit reports in accordance with the terms of this Program.

  9. Allow Circonus reasonable time to address any reported issue.

  10. Do not share any confidential information of Circonus or any of its employees, customers, partners or contractors.

  11. Do not share any information regarding the alleged vulnerability with any person or entity other than Circonus and Circonus’ personnel.

  12. Do not engage in out-of-scope activities described below.

By responsibly submitting your findings to Circonus in accordance with this Program, such submission will be considered authorized conduct and Circonus will not initiate legal action against you. Circonus reserves all legal rights in the event of noncompliance with this Program.

Once a report is submitted, Circonus commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Submission Format & Instructions

When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).

Please email the summary to us at [email protected].

Scope

This Program applies to all of Circonus’ Systems (as defined in the opening paragraph above).

Out of Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.

Out-of-scope vulnerabilities include:

  • Physical Testing

  • Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials

  • Phishing

  • Denial of service attacks

  • Resource Exhaustion Attacks

  • Clickjacking on pages with no sensitive actions

Please also note that Circonus employs third-party vendors, and some subdomains may be managed by third-parties. Security issues found in third-party assets which are not managed by Circonus are considered out of scope and should be reported to the affected party directly. When issues reported to the Circonus program originate in a different vendor’s service, Circonus reserves the right to forward submissions to the affected party without further discussion. Please be sure to check our publicly published IP ranges and conduct all necessary due diligence to determine ownership of an asset prior to testing.

Circonus reserves the right to update this Program from time to time and will post each update at this site or a successor site.