Security

CallHub products are built with best-in-class security practices to keep you and your data safe at all times.

If you have any questions after reading this or encounter any issues, please contact us at [email protected] or book a call with our sales team.

security-header
human rights campaign grey logo
amnesty-international-logo
amercian red cross logo grey
350-logo
neat-logo-bw
wilderness-society-logo

Data Center

CallHub uses Amazon Web Services (AWS) as our cloud infrastructure provider. AWS’s world-class data centers are highly secure, nondescript, and have numerous safeguards against perimeter intrusion.

callhub-data-center

Multi-level physical safeguards

AWS utilizes multi-level biometrics and other physical security safeguards to restrict access to the data centers, as well as regions on the data center floor.

Resilient against system failures

The full redundancy of these data centers in various locations around the world ensures that CallHub will remain resilient in the event of a system failure in one area.

Secure engineering practices in the design and code of CallHub.

Network Firewalls

Each system uses firewalls to restrict access from external networks and between systems internally. To mitigate internal and external risk, access is restricted to only the ports and protocols required for specific business needs.

TLS Encryption

CallHub enforces HTTPS for all services, including our public website. All web session traffic between your application and CallHub is encrypted using TLS (transport layer security) which provides data encryption and authentication between your application and our servers. Sensitive data between applications are also protected by access tokens and are encrypted during transmission.

Authentication

To prevent unauthorized account access, each session requires an account username and a strong password. All passwords are stored encrypted with a one-way hashing algorithm resistant to brute-force and dictionary attacks by using a salt. Passwords are not logged.

Credit Card

All payments are processed with Stripe. Stripe stores your credit card information on its servers and never reaches our servers. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.

Limited Access

CallHub’s policies and procedures limit and log all external and internal access to customer data and requests management approval before access. Only select CallHub employees dealing directly with valid customer tickets can access customer data with prior permissions.
You also have a choice to use 2FA for account access.

Data Privacy

We take your privacy seriously. Your data is only used/stored in accordance with our privacy policy.

Disclosure

We rapidly & regularly investigate all reported security issues. If you believe you’ve discovered a bug in CallHub’s security, please contact [email protected]. We will respond as quickly as possible to your report.

We request that you do not disclose the issue publicly until it has been addressed by CallHub.

CallHub Vulnerability Reporting Policy

At CallHub, trust is one of our core values, and we take protecting our customer’s data seriously. CallHub appreciates the role security researchers play in internet security. We encourage responsible reporting of any vulnerabilities found on our marketing website or the product.

We have developed a program to make it easier for you (security researchers or customers) to report vulnerabilities to CallHub and to recognize you for your efforts to make CallHub a secure platform.

You may refer to our developer documentation and any material on the CallHub support forums for research into our products.

reporting-policy

Disclaimer

Please review the below scope and guidelines before you test and/or report a vulnerability.

CallHub pledges not to initiate legal action against researchers for penetrating or attempting to penetrate CallHub systems as long as they adhere to the below guidelines.

Vulnerability Reporting Program

To appreciate your efforts, CallHub runs a bug bounty program. If you submit a valid report on the eligible products mentioned in the Scope and Description of Vulnerability section in this policy, CallHub will consider your report for our bug bounty program. If the reported vulnerability is accepted by the security team, CallHub will provide the incentives below.

Note: Currently, CallHub doesn’t provide monetary incentives for Vulnerability reporting

reporting-program

1. Your full name and gravatar will be mentioned in our Security Hall Of Fame.

2. Organization’s name, email address (as per request).

3. Links to social profiles such as Twitter, LinkedIn, or any previous work (as per request).

Scope and Description of Vulnerability

All CallHub products are in scope for reporting the vulnerabilities. Any design or implementation issue that substantially affects the confidentiality or integrity of user data is covered in the scope of this policy.

scope-and-decription

Accepted vulnerability scenarios

  1. XSS – Cross-site scripting
  2. CSRF – Cross-site request forgery
  3. SQL Injection
  4. Mixed-content scripts
  5. MITM – man-in-the-middle Attacks
  6. Authentication or authorization flaws
  7. SSI – Server-side code execution bugs

Scenarios that are not considered a vulnerability

  1. Presence or absence of HTTP headers (X-Frame-Options, nosniff, etc.)
  2. Exposed stack traces or 500 errors
  3. Content spoofing by administrative users

Reporting a potential security vulnerability

CallHub will reward reports with a significant impact across our entire product portfolio. We encourage you to report bugs via this program based on the below guidelines.

Guidelines for reporting a vulnerability

You are requested to adhere to the following guidelines while reporting a vulnerability.
Share details of the suspected vulnerability with CallHub by sending an email to [email protected]. If you are a customer, you can also report the issue to [email protected].

We expect reporters to use their own judgment and provide sufficient details and evidence while reporting the vulnerability.

Vulnerability details required

Provide full details of the suspected vulnerability so that the CallHub team can validate and reproduce the issue.

  • Type of issue (cross-site scripting, SQL injection) Product and version with the bug or a URL.
  • The potential impact of the vulnerability (i.e., what data can be accessed or modified).
  • Step-by-step instructions to reproduce the issue.
  • Any proof-of-concept or exploit code required to reproduce the vulnerability.

Responsible Conduct

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, CallHub does not permit the following conduct.

Performing actions that may negatively affect CallHub or its users (e.g., spam, brute force, DDoS attacks).

Accessing, or attempting to access, data or information that does not belong to you.

Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.

Conducting any kind of physical or electronic attack on CallHub personnel, property, or data centers.

Social engineering any CallHub employee or contractor.

Conduct vulnerability testing of participating services using anything other than test accounts.

Violating any laws or breaching any agreements to discover vulnerabilities.

Sharing or publicizing the reported (yet unresolved) vulnerability with/to third parties.

CallHub Commitment

We thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at CallHub.

Once you report a vulnerability to us, the CallHub team will make efforts to

Respond in a timely manner, acknowledging receipt of your vulnerability report.

We will investigate all legitimate reports and respond to you with appropriate qualification (Critical, High, or Medium) based on the impact.

Provide an estimated time frame for addressing the vulnerability report.

Request you more information on the vulnerability if needed to fix the issue.

Notify you when the vulnerability is planned to be addressed.

Inform you when the reported vulnerability is fixed.

Security Hall of Fame

CallHub would like to thank the following people who have responsibly disclosed vulnerabilities to us.

Shiraz Ali Khan

Sahil Mehra & Shivam Kamboj Dattana

Sujan Thapa Magar