---
title: "Responsible Disclosure | DuoCircle Trust"
description: "How to report a security issue to DuoCircle. Acknowledgment within one business day. Safe harbor for good-faith research that follows responsible disclosure norms."
image: "https://trust.duocircle.com/og-default.png"
canonical: "https://trust.duocircle.com/responsible-disclosure/"
---

# Responsible Disclosure

If you believe you have found a security issue in any DuoCircle product, please tell us. We acknowledge reports within one business day and most often the same day. Reviewed 2026-05-06.

## Where to send a report

Email [security@duocircle.com](mailto:security@duocircle.com). We do not require a CVE pre-assignment or a polished writeup. We just want the details.

## What to include

The more of the following you can give us up front, the faster we can confirm and remediate.

- The product or domain affected (for example dmarcreport.com or autospf.com).
- A description of the issue and the security impact you believe it has.
- Steps to reproduce, including any specific URLs, payloads, or accounts used.
- Screenshots or short videos if they help, but they are never required.
- Whether you have shared this with anyone else and any embargo deadline you would like us to honor.
- How you would like to be credited, if at all, in any post-fix advisory.

## What to expect from us

- **Acknowledgment** within one business day, usually the same day.
- **Triage** against our internal severity definitions, with a target initial assessment within three business days.
- **Status updates** as we investigate and as remediation progresses.
- **Credit** in any public advisory we issue, if you would like it. We are happy to keep your report private.
- **No legal action** against good-faith research that follows the rules of engagement below.

## Scope

The following DuoCircle properties are in scope for responsible disclosure.

- duocircle.com and any subdomain
- autospf.com
- dmarcreport.com
- phishprotection.com
- outboundsmtp.com
- tenantmigration.com
- mailflowmonitoring.com
- alumniforwarding.com
- nureply.com
- inboxissue.com

## Out of scope

The following classes of report are typically not actionable. Please consider before sending.

- Issues in third-party services we use, where the appropriate report path is the third party. We are happy to coordinate disclosure on a case-by-case basis.
- Reports based purely on missing security headers without a demonstrated exploit path.
- Theoretical attacks without a working proof of concept.
- Self-XSS that requires the victim to paste payloads into their own browser.
- Clickjacking on pages without sensitive state-changing actions.
- Open redirects without a demonstrated security impact.
- Username enumeration on public sign-up flows.
- Email spoofing checks against domains that do not enforce DMARC reject (we know which ones do).
- Denial-of-service, volumetric, or stress testing of any kind.

## Rules of engagement

If you stay within these rules, we will not pursue legal action against you for your research.

- Use only your own accounts or accounts you have explicit permission to test. Do not access or modify other customers' data.
- If you obtain access to data that is not yours, stop, do not download or copy it, and report what you can describe without exfiltrating.
- No social engineering of DuoCircle staff, partners, or customers.
- No physical testing of DuoCircle facilities or those of our subprocessors.
- No denial of service. Throttle automated tools so that they do not impact availability.
- Do not disclose the issue publicly until we have shipped a fix or 90 days have passed since your initial report, whichever is sooner. We are happy to discuss longer or shorter embargoes when warranted.

## Bug bounty

DuoCircle pays for real vulnerabilities under a deliberately strict bounty program. Working proofs of concept against in-scope production systems are paid; automated scanner output, missing-header findings without an exploit chain, and the long tail of policy nits are not. [See the bounty page](/security/bug-bounty/) for what qualifies, what does not, and how submissions are handled.

## Exposed credentials and customer data dumps

If you find leaked credentials for a DuoCircle customer (paste sites, breach corpora, dark-web markets, public buckets, etc.), please contact us immediately at [security@duocircle.com](mailto:security@duocircle.com). The same applies if you find a dump of DuoCircle customer data anywhere it should not be.

- **Verify the credentials actually log in** against the affected service before reporting. We get a high volume of stale-list reports where the password no longer works. A live credential is the bar.
- **Do not exfiltrate or redistribute the data.** Tell us what you have, where you found it, and the size. Do not send us a copy of the corpus.
- **Treat customer data dumps as urgent.** Mark the email subject **URGENT: customer data exposure** so it is paged.

These are typically customer-side exposures (credential reuse, third-party breaches), not DuoCircle system issues, so they are **not eligible for a bounty payment**. We will contact the affected customer, help them rotate, and find a way to thank you for the heads-up. If the report turns out to indicate an actual DuoCircle system compromise, the bounty rules apply.

## If you are a customer reporting a customer-impacting issue

For incident response touching your tenant, please also open a ticket through your normal support channel so the right operations team is paged. The vulnerability address above is for security research and disclosure, not for triaging customer outages.

## Found something. Tell us about it.

We acknowledge reports within one business day, often the same day.

[Email security@duocircle.com](mailto:security@duocircle.com)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://trust.duocircle.com","logo":{"@type":"ImageObject","url":"https://trust.duocircle.com/duocircle-logo.png"},"description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://www.facebook.com/duocirclellc","https://x.com/duocirclellc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://trust.duocircle.com/request/"},"knowsAbout":["SOC 2 Type II","CSA STAR","HECVAT","Vendor Security Assessment","Cloud Security","Email Security Compliance","Information Security Policies","Subprocessor Management","Data Protection Addendum"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://trust.duocircle.com","description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://trust.duocircle.com","logo":{"@type":"ImageObject","url":"https://trust.duocircle.com/duocircle-logo.png"},"description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Trust Center","item":"https://trust.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Responsible Disclosure","item":"https://trust.duocircle.com/responsible-disclosure/"}]}
```