← Security Security Updated May 2026

Bug Bounty.

Rewards for responsible disclosure of security vulnerabilities in Circus. We welcome researchers who identify genuine issues and report them in good faith.

Program overview

This program covers our app, web platform, and API. Reports are reviewed by our security team, and qualifying findings are eligible for recognition and rewards.

For our full responsible disclosure policy and response timelines, see the Security page.

Scope

In scope

  • Circus iOS and Android applications
  • circus.app web platform
  • Circus API and backend services
  • Authentication and account security
  • User data privacy and potential leakage
  • Payment and monetization flows
  • Admin tooling and internal dashboards

Out of scope

  • Social engineering of Circus staff
  • Physical security attacks
  • Denial of service (DoS/DDoS)
  • Spam or email flooding
  • Vulnerabilities in third-party services
  • Automated scanning without prior written permission
  • Issues in outdated browser or OS versions

How to report

Send your report to security@circus.app. Please include:

  • A clear description of the vulnerability and where it exists
  • Step-by-step reproduction instructions
  • Your assessment of the potential impact
  • Proof-of-concept if available — non-destructive only, do not exfiltrate user data

We will acknowledge receipt within five business days. PGP encryption is available on request.

What to expect

After acknowledgement, our security team will validate the report and assess severity. We will keep you informed at each stage and provide a remediation timeline based on the severity of the finding.

We do not offer fixed cash payouts at this stage. Qualifying reports receive recognition including named credit in our security changelog and, for significant findings, Circus merchandise. We intend to introduce paid bounties after public launch — findings disclosed before launch will be honored at the severity agreed at disclosure time.

Safe harbor

Circus will not pursue or support legal action against researchers who act in good faith under this program. Safe harbor applies where researchers:

  • Notify us before any public disclosure
  • Do not access, modify, or exfiltrate user data beyond what is strictly necessary to demonstrate the vulnerability
  • Do not degrade the availability of our services
  • Allow us a reasonable window to investigate and remediate before disclosure

This protection does not extend to activity that causes harm to users or the platform, or that falls outside these principles.