DuoCircle Bug Bounty Program

DuoCircle offers a bug bounty program for individuals or groups who report bugs, vulnerabilities, and exploits on our website, mobile apps, and related products. This program is a guidance for both parties and not a contract, promise, or obligation.

Bugs are defined as any feature or function of our site, mobile apps, or API that is not operating as intended.

Vulnerabilities are bugs that damage data or expose non-public data about individual members or the company, or allow a person who is not the owner of an account to act as the owner.

We do not offer a bounty for user interface, graphics, or data bugs that do not pose a security threat. However, reporting these bugs through our “support” system may result in free account being awarded at our discretion.

The severity of the vulnerability will determine the bounty amount, which will be determined using the Common Vulnerability Scoring System (CVSS) calculator.

Vulnerability Disclosure and Bounty Program

We pay a bounty for vulnerabilities disclosed according to the procedure described below. The bounty paid will be determined by the severity of the vulnerability. We will agree upon the severity with the Reporter, based on the Common Vulnerability Scoring System, aka “CVSS,” using this calculator: https://www.first.org/cvss/calculator/3.1.

Guidelines for Reporting Vulnerabilities and Claiming Rewards

To claim a bounty, the vulnerability must be reported to support@duocircle.com, and the report must include a proof of concept, working code, steps to replicate, or other documentation. The first person to submit a complete report on a given vulnerability will receive the bounty. Payment will be made after the vulnerability is fixed and verified by our teams.

Please note that by participating in our bug bounty program, you agree not to attack or cause damage to the site, users’ data, or the company’s reputation. Any unannounced vulnerability investigation that is indistinguishable from an attack and/or violates the terms of this program will be treated as an attack and may result in law enforcement involvement. If you believe your exploit may cause harm, please contact us before attempting it.

DuoCircle will respond to claims within 5 business days; however, if we are unable to respond within this time frame, it does not invalidate your claim and we will get back to you as soon as possible. Reports from automated tools, exploits on unsupported browsers or old mobile apps, physical-access or social-engineering attacks (including phishing or impersonating staff), denial of service, email, issues relating to systems out of DuoCircle’s control, and issues that we are already aware of are not eligible for a bug bounty. Additionally, deviations from industry standard procedures and settings are not eligible for a bug bounty without a demonstration that the effect can be exploited in specific harmful ways.

It is important to note that by participating in our bug bounty program, you must adhere to all laws and regulations and not engage in any illegal activities. DuoCircle reserves the right to modify or discontinue the bug bounty program at any time.

Steps To Submit & Claim Your Bounty

We value your contributions to help keep our systems secure, and thank you for taking the time to report any bugs or vulnerabilities you may find.

1. To claim a bounty for a vulnerability, you must report your finding to us first and exclusively. Any disclosure to the public before a fix is released, by you or anyone else, will invalidate all claims to a bounty. Attempting to exploit a found vulnerability beyond what is necessary to demonstrate and report it will be considered an attack and will also invalidate the claim to a bounty.

2. Your report must include a proof of concept, working code, steps to replicate, or other documentation so that our technical teams can identify which systems are affected and how. A video or other demonstration alone is not sufficient. The proof of concept must execute in the same manner that a victim would realistically execute it; specifically, sending code for us to download and execute locally is not realistic, and so you must host the proof on a website that you control and then send us the link. If the vulnerability’s severity is based on automation, you must submit proof that it can be automated. If we are unable to replicate the bug with your steps, you will be required to work with us to understand why, and you may be asked to provide further proof of the vulnerability.

3. You must provide your real name and contact information for payment. We will not submit payment to anonymous or unverified accounts. We may ask for reasonable ID verification; a documented and valuable online reputation may be sufficient. Only the first person to submit a complete report on a given vulnerability will receive a bounty. Subsequent, helpful reports received before a patch is available may receive a bounty at our discretion. Separate exploits of the same bug may be considered the same vulnerability at our discretion. “First to submit” is based on the receipt timestamp of the email received at the address above, containing the demonstration or documentation and real-person contact information. Incomplete submissions are considered submitted only when completed.

4. You must work with us to determine the severity of the vulnerability according to CVSS. Payment will be made after the vulnerability is fixed and verified by our teams, the submitted proof of concept, and the Reporter. In some cases, we may ask that you not disclose any information about this vulnerability for an agreed-upon amount of time; if we do, then we will ask this when we confirm your submission, and an additional bounty will be paid to compensate for your inability to use this discovery for promotional or instructional means. Regressions of previously fixed vulnerabilities will be paid at half price.

If you have any questions or concerns about this policy, please reach out to bugbounty @ duocircle.com.