Cirklu Hack Challenge — Official Rules

Scope

• Cirklu browser extension (production build)
• Key storage, encryption, secure paste/autofill, share links and decryption
• Website endpoints and pages that support the extension (no admin interfaces)

Out of Scope

• DDoS, rate‑limiting, social engineering, phishing, or blackmail
• Automated scanning that impacts other users
• Third‑party services outside our control (e.g., Chrome Web Store, Firebase infrastructure)

Reward

Critical bug accepted: 0.05% equity vested over 2 years (1‑year cliff). First valid report per vulnerability is eligible.

Submission Requirements

• Clear description, impact assessment, and reproducible PoC
• Version numbers and environment (OS, browser, extension version)
• Responsible disclosure: do not access other users’ data
• Email: security@cirklu.com

Eligibility

• 18+ years old or with guardian consent
• Comply with local laws and export regulations

Legal

• Equity awards subject to KYC and standard agreements
• We may adjust scope or rewards for safety and fairness
• By participating, you agree not to publicly disclose vulnerabilities before remediation