Skip to main content

Responsible Disclosure

If you believe you have found a security issue in any DuoCircle product, please tell us. We acknowledge reports within one business day and most often the same day. Reviewed 2026-05-06.

Where to send a report

Email security@duocircle.com. We do not require a CVE pre-assignment or a polished writeup. We just want the details.

What to include

The more of the following you can give us up front, the faster we can confirm and remediate.

  • The product or domain affected (for example dmarcreport.com or autospf.com).
  • A description of the issue and the security impact you believe it has.
  • Steps to reproduce, including any specific URLs, payloads, or accounts used.
  • Screenshots or short videos if they help, but they are never required.
  • Whether you have shared this with anyone else and any embargo deadline you would like us to honor.
  • How you would like to be credited, if at all, in any post-fix advisory.

What to expect from us

  • Acknowledgment within one business day, usually the same day.
  • Triage against our internal severity definitions, with a target initial assessment within three business days.
  • Status updates as we investigate and as remediation progresses.
  • Credit in any public advisory we issue, if you would like it. We are happy to keep your report private.
  • No legal action against good-faith research that follows the rules of engagement below.

Scope

The following DuoCircle properties are in scope for responsible disclosure.

  • duocircle.com and any subdomain
  • autospf.com
  • dmarcreport.com
  • phishprotection.com
  • outboundsmtp.com
  • tenantmigration.com
  • mailflowmonitoring.com
  • alumniforwarding.com
  • nureply.com
  • inboxissue.com

Out of scope

The following classes of report are typically not actionable. Please consider before sending.

  • Issues in third-party services we use, where the appropriate report path is the third party. We are happy to coordinate disclosure on a case-by-case basis.
  • Reports based purely on missing security headers without a demonstrated exploit path.
  • Theoretical attacks without a working proof of concept.
  • Self-XSS that requires the victim to paste payloads into their own browser.
  • Clickjacking on pages without sensitive state-changing actions.
  • Open redirects without a demonstrated security impact.
  • Username enumeration on public sign-up flows.
  • Email spoofing checks against domains that do not enforce DMARC reject (we know which ones do).
  • Denial-of-service, volumetric, or stress testing of any kind.

Rules of engagement

If you stay within these rules, we will not pursue legal action against you for your research.

  • Use only your own accounts or accounts you have explicit permission to test. Do not access or modify other customers' data.
  • If you obtain access to data that is not yours, stop, do not download or copy it, and report what you can describe without exfiltrating.
  • No social engineering of DuoCircle staff, partners, or customers.
  • No physical testing of DuoCircle facilities or those of our subprocessors.
  • No denial of service. Throttle automated tools so that they do not impact availability.
  • Do not disclose the issue publicly until we have shipped a fix or 90 days have passed since your initial report, whichever is sooner. We are happy to discuss longer or shorter embargoes when warranted.

Bug bounty

DuoCircle pays for real vulnerabilities under a deliberately strict bounty program. Working proofs of concept against in-scope production systems are paid; automated scanner output, missing-header findings without an exploit chain, and the long tail of policy nits are not. See the bounty page for what qualifies, what does not, and how submissions are handled.

Exposed credentials and customer data dumps

If you find leaked credentials for a DuoCircle customer (paste sites, breach corpora, dark-web markets, public buckets, etc.), please contact us immediately at security@duocircle.com. The same applies if you find a dump of DuoCircle customer data anywhere it should not be.

  • Verify the credentials actually log in against the affected service before reporting. We get a high volume of stale-list reports where the password no longer works. A live credential is the bar.
  • Do not exfiltrate or redistribute the data. Tell us what you have, where you found it, and the size. Do not send us a copy of the corpus.
  • Treat customer data dumps as urgent. Mark the email subject URGENT: customer data exposure so it is paged.

These are typically customer-side exposures (credential reuse, third-party breaches), not DuoCircle system issues, so they are not eligible for a bounty payment. We will contact the affected customer, help them rotate, and find a way to thank you for the heads-up. If the report turns out to indicate an actual DuoCircle system compromise, the bounty rules apply.

If you are a customer reporting a customer-impacting issue

For incident response touching your tenant, please also open a ticket through your normal support channel so the right operations team is paged. The vulnerability address above is for security research and disclosure, not for triaging customer outages.

Found something. Tell us about it.

We acknowledge reports within one business day, often the same day.

Email security@duocircle.com