This program is for the Circle iOS and Android mobile apps and the supporting Web service APIs. On iOS, the Circle iMessage extension app is also in scope. You must test the production released versions available through the Android and iOS app stores.

NOTE: The Circle web-app is NOT in scope.

In this program we will reward for vulnerabilities that are found in the business logic or the application platform stack. Volumetric attacks are not valid for this program. Vulnerabilities found by static-analysis tools MUST be accompanied with a full exploit demonstrating a vulnerability in business logic or a security control.

NOTE: Do not submit findings that you consider as a “best practice”.

Authentication is Required

You will need to create a circle.com account. You must use your Bugcrowd email. This program is only for authenticated application requests.

Targets

In scope

  • iOS iMessage extension app
  • iOS mobile app - the native iOS app
  • Android mobile app - the native Android app

Researchers testing on out of scope domains (such as api.mixpanel.com) will be BLOCKED/BANNED. DO NOT test out of scope. Additionally, the use of automated scanners will likely result in your ip being blocked/banned as well.

The following finding types are specifically excluded from the program:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • DDoS
  • Volume-based attacks
  • Attacks that involve emailing or texting any user
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF findings that are not accompanied with an exploit that is demonstrates cross-site API execution.
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Sign In or Sign Up Cross-Site Request Forgery.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies and our session token.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Issues related to email and text messages, like SPF records
  • Issues related to password complexity

Android

In Scope for the Android app

  • https://play.google.com/store/apps/details?id=com.circle.android&hl=en
  • The Circle application code in the APK and any data it creates and saves on the device
  • The supporting REST APIs (see list below)

Out of Scope bugs for the Android app

  • Third party libraries
  • Attacks requiring (or making use of) a rooted device
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control
  • Reports that only list exported activities discovered by static analysis. The report must be an runtime exploit that abuses the exported activity
  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Warnings or errors only verified by static analysis

iOS

In Scope for the Android app

  • https://itunes.apple.com/us/app/circle-pay/id920164002?mt=8
  • The Circle application code in the APK and any data it creates and saves on the device
  • The supporting REST APIs (see list below)

Out of Scope bugs for iOS app and iMessage extension

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Runtime hacking exploits possible only on a jailbroken device
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation
  • Lack of jailbreak detection
  • OAuth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Warnings or errors only verified by static analysis

REST APIs

In Scope REST APIs

  • https://www.circle.com/api/*

Out of Scope REST APIs

  • Any URI not matching an In Scope API is out of scope.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.