We welcome reports from security researchers. This policy describes how to send one, what we will do with it, and the safe-harbor terms that apply to good-faith research conducted under this policy. The same policy is mirrored at trust.duocircle.com/responsible-disclosure/, which is the canonical Trust Center version.
How to report
Email security@duocircle.com. Include enough detail for us to reproduce the issue: affected URL or endpoint, request method, payload or proof-of-concept, the impact you believe it has, and any prerequisite conditions. A short video or screen capture often saves a round trip.
If your report contains sensitive material, you may encrypt it. Our PGP key is published at /.well-known/security.txt.
What is in scope
- Any production service hosted at
*.duocircle.com, the product domains in our portfolio (autospf.com,dmarcreport.com,phishprotection.com,outboundsmtp.com,tenantmigration.com,mailflowmonitoring.com,alumniforwarding.com,nureply.com,inboxissue.com,mailhop.org), andtrust.duocircle.com - Authentication and session management defects, server-side request forgery, injection, broken access control, sensitive data exposure, deserialization defects, and equivalent OWASP Top Ten classes
- Email-deliverability and authentication weaknesses specific to our products (SPF/DKIM/DMARC handling, mail-flow misrouting, sender-spoofing in our customer-facing UIs)
What is out of scope
- Denial-of-service testing, including any automated load that affects production capacity
- Social engineering against DuoCircle staff, customers, or vendors
- Physical attacks against our offices, data centers, or staff
- Reports based solely on output of an automated scanner without a working proof of concept
- Findings limited to missing security headers or theoretical TLS weaknesses without a demonstrated exploit
- Vulnerabilities in third-party software that we do not operate, even if a customer reaches it through our service. Report those upstream and let us know.
- Reports about our customers’ configuration of our products (for example, a misconfigured customer SPF record) — those go to the affected customer
Rules of engagement
If you act under this policy in good faith, and you follow these rules, DuoCircle will not pursue legal action against you for the activity.
- No customer data. Do not access, modify, exfiltrate, or retain any customer data beyond the minimum needed to demonstrate the issue. If you encounter customer data, stop immediately and tell us.
- No destructive testing. No deletion, no encryption, no disruption to other users.
- One human at a time. Do not pivot from a discovered defect to scan adjacent systems. Report and stop.
- No public disclosure during embargo. Allow us a reasonable embargo (target ninety days; longer for issues that need vendor coordination, shorter for issues that are already widely known) before public disclosure.
- Coordinate with us. If a customer of ours is the right party to fix something downstream, coordinate through us before contacting them directly.
- Comply with law. Do not break any law in the conduct of the research, including but not limited to the U.S. Computer Fraud and Abuse Act and equivalent statutes in other jurisdictions.
Response targets
| Stage | Target |
|---|---|
| Acknowledgement of receipt | One business day, often same business day |
| Triage decision (in scope, severity, accepted) | Five business days |
| Remediation timeline communicated | Ten business days for accepted reports |
| Fix deployed | Driven by severity. Critical inside seven days; High inside thirty; Medium inside ninety; Low at next planned release |
| Public credit | After fix is deployed, with researcher consent |
Recognition
We do not currently operate a paid bug bounty program. We do publicly thank researchers who help us, and we are happy to provide written confirmation of the research for resume or reference purposes. If your finding leads to a material fix, we will discuss appropriate recognition on a case-by-case basis.
Safe harbor
DuoCircle considers research conducted under this policy to be:
- Authorized under the Computer Fraud and Abuse Act
- Authorized under DMCA Section 1201, to the extent the research is for security purposes
- Exempt from our Acceptable Use Policy and our Cloud Terms restrictions on circumvention and unauthorized access, to the extent those restrictions would otherwise apply
If a third party brings legal action against you for activity carried out under this policy, in good faith, we will make reasonable effort to communicate to the third party that the activity was authorized.
How this policy changes
We revise this policy when industry practice or law changes. The revision date at the top of the page is authoritative. Reports made before a revision are governed by the version then in effect.
Questions about this document?
DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130. Email legal@duocircle.com for legal inquiries, or support@duocircle.com for everything else.