Security

Last updated 21 May 2026

Responsible disclosure policy and bug bounty program.

Our Commitment

Circus takes the security of our platform and the privacy of our users seriously. We run regular internal security reviews, commission third-party penetration testing before significant releases, and encrypt user data at rest and in transit. We welcome reports from security researchers who identify vulnerabilities in good faith and give us the opportunity to fix them before public disclosure.

Scope

In Scope

Authentication and account security
API endpoints and data access controls
iOS and Android mobile applications
User data privacy and potential leakage
Payment processing flows
Content delivery and media infrastructure
Admin tooling and internal dashboards
CDN and infrastructure configuration

Out of Scope

Social engineering of Circus staff
Physical security attacks
Denial of service attacks
Issues in third-party services we don’t control
Automated scanning without prior written permission
Vulnerabilities in outdated browsers or OS versions

How to Report

Email security@circus.app with:

A clear description of the vulnerability and its location
Step-by-step reproduction instructions
Your assessment of the potential impact
Any proof-of-concept code (non-destructive only — do not exfiltrate user data)

PGP encryption is available on request. We will acknowledge receipt within 48 hours and provide a response timeline based on severity.

Response Timeline

Critical — Acknowledgement within 24h · Fix target within 7 days
High — Acknowledgement within 48h · Fix target within 14 days
Medium — Acknowledgement within 72h · Fix target within 30 days
Low — Acknowledgement within 7 days · Fix target within 90 days

Bug Bounty Rewards

Pre-launch, we offer recognition in place of cash rewards. Findings are rewarded based on severity:

Critical / High — Named on our Hall of Fame, Circus swag package, credit in our security changelog
Medium / Low — Named on our Hall of Fame, written acknowledgement

We intend to introduce paid bounties proportional to severity after public launch. Pre-launch findings will be honored at the severity rating agreed at disclosure time.

Hall of Fame

No entries yet — be the first to responsibly disclose a security finding.

Safe Harbour

Circus will not initiate or support legal action against security researchers who act in good faith. Specifically, we commit to this protection where researchers:

Make reasonable effort to notify us before any public disclosure
Avoid accessing, modifying, or exfiltrating user data beyond what is strictly necessary to demonstrate the vulnerability
Do not degrade the availability of our services
Allow us a reasonable window to investigate and remediate

This commitment does not extend to activity that causes harm to our users or platform, or that falls outside these principles.

Coordinated Disclosure

We follow a standard 90-day coordinated disclosure window from the date we acknowledge a valid report. We will keep you informed at each stage and credit you in our public disclosure unless you prefer to remain anonymous. If a fix requires more time, we will negotiate an extension with you directly rather than leaving the window open indefinitely.