Skip to main content

Bug Bounty

Real vulnerabilities earn real payment. Automated scanner output earns a thank-you and a closed ticket. Reviewed 2026-05-06.

Where to send a submission

Email security@duocircle.com with the subject line Bounty submission. Acknowledged within one business day, usually the same day.

A submission is a bounty submission only when it is marked as such. Reports without a working proof of concept will be processed as standard responsible disclosure.

How we think about this program

We pay for vulnerabilities that would let someone compromise customer data, take over an account, escalate privilege inside a tenant, or break the integrity of a billed product. We pay quickly. We also negotiate, because impact is the real metric and impact is not a published table.

We do not pay for the long tail of automated scanner output, theoretical issues, or policy nits. Most days the security inbox sees a few of those for every real report. Filtering them is a real cost and we are honest about not subsidizing the noise. If you cannot demonstrate impact with a working proof of concept, this program is not for you.

What we pay for

The categories below are eligible. The list is not exhaustive. If you have something with real impact that does not fit, send it anyway.

  • Remote code execution against any DuoCircle production system.
  • Authentication bypass, account takeover, or session hijacking against a real account in a way that does not require user-side mistakes.
  • Server-side request forgery against a production endpoint that reaches internal infrastructure.
  • SQL injection, command injection, or template injection with a demonstrated payload that returns data or executes code.
  • Stored cross-site scripting that executes in the context of another customer's session and survives a normal page reload.
  • Insecure direct object reference that exposes another tenant's data.
  • Privilege escalation inside a tenant, for example a non-admin user changing billing or org settings.
  • Cryptographic failures with a demonstrated decryption or forgery path.
  • Subprocessor chain compromise that we can act on, where the report includes the impact path and the affected DuoCircle property.

What we do not pay for

The categories below come in by the dozen each week. They are not vulnerabilities. We will close the ticket without a credit.

  • DMARC, SPF, or DKIM records on subdomains that do not send mail. We know.
  • DMARC policy not at p=reject on a domain that does not need it. Not a finding.
  • Missing security headers without a working exploit chain. CSP, X-Frame-Options, Permissions-Policy, Strict-Transport-Security, and similar.
  • Iframe-related findings (clickjacking, X-Frame-Options) on pages without sensitive state-changing actions.
  • CSS injection, design-only XSS, or self-XSS that requires the victim to paste a payload.
  • Open redirects without a demonstrated security impact.
  • Information disclosure of public framework metadata, build versions, or stack traces from non-production endpoints.
  • Username enumeration on public sign-up or password-reset flows.
  • Email spoofing checks against domains we do not enforce DMARC reject on. We know which ones do.
  • SSL/TLS configuration findings already documented in a public scanner report (SSL Labs, Hardenize, etc.) that do not enable a real attack.
  • Any form of denial of service, volumetric testing, or stress testing.
  • Reports on third-party SaaS we use (chat widgets, analytics, fonts) where the appropriate disclosure path is the third party.
  • Automated tool output pasted in without a working proof of concept or a written impact statement.
  • Reports on staging, preview, or branch deploys. Production scope is in the section below.
  • Leaked credentials for DuoCircle customers found in third-party breach corpora or paste sites. These are customer-side exposures, not DuoCircle system issues. Send them to responsible disclosure and we will contact the customer and find a way to thank you.

How we calculate payment

Payment is set per submission based on the demonstrated impact, the quality of the report, and how unique the finding is. We do not publish a table because every finding is different and a table invites gaming. If the finding is real, the payment will reflect that.

  • Real exploit, real money. Critical-impact findings with a working proof of concept get the highest payments.
  • First valid report wins. Duplicates of an open ticket are not eligible. We will tell you the original report came in first.
  • Quality matters. A clean writeup with reproduction steps and an impact statement is paid more than a screenshot dump.
  • Negotiable in either direction. If you think we underpaid, tell us why. If we think you over-claimed, we will tell you that too.
  • Payment by bank transfer or PayPal. We do not pay in gift cards, swag, or hall-of-fame credits unless you ask for those instead.

Scope

The following DuoCircle production properties are in scope.

  • duocircle.com and any subdomain
  • autospf.com
  • dmarcreport.com
  • phishprotection.com
  • outboundsmtp.com
  • tenantmigration.com
  • mailflowmonitoring.com
  • alumniforwarding.com
  • nureply.com
  • inboxissue.com
  • trust.duocircle.com

Out of scope: staging environments, preview deploys, third-party services we embed, and any system you do not have legitimate access to test against.

Rules of engagement

The same rules from responsible disclosure apply. In short: use only your own accounts, do not exfiltrate other customers' data, do not socially engineer staff or customers, do not run denial of service, and do not disclose publicly until we have shipped a fix or 90 days have passed.

Stay inside the rules and we will not pursue legal action against you for your research.

What to put in a submission

The faster we can confirm, the faster you get paid.

  • Subject line Bounty submission on the email.
  • The product or domain affected.
  • A clear description of the issue and the security impact.
  • A working proof of concept. Steps, payloads, screenshots, or a short video. The PoC is the bar.
  • Whether you have shared this with anyone else and any embargo deadline.
  • Your preferred name for credit (if any) and your payment method (bank or PayPal).

Triage and timelines

  • Acknowledgment within one business day, usually the same day.
  • Initial assessment within three business days.
  • Eligibility decision with payment estimate within seven business days for in-scope reports with a working proof of concept.
  • Payment sent within fourteen days of eligibility confirmation.

Credit and disclosure

If you would like credit in the post-fix advisory, tell us how you want to be named. We are equally happy to keep the report private. Public disclosure of the vulnerability before we ship a fix or before the 90-day clock runs out forfeits the bounty.

Customer-impacting incidents

If you are a customer reporting an issue affecting your tenant, please also open a support ticket through your normal channel so the right operations team is paged. The bounty inbox is for security research, not for triaging customer outages.

Real exploit. Real payment.

Subject line Bounty submission. Acknowledged within one business day.

Email security@duocircle.com