Security is one of the biggest considerations in everything we do. If you have any questions after reading this, or encounter any issues, please contact us at [email protected]. We implement secure engineering practices in the design and code of CallHub. Our security architecture details are below:
CallHub Vulnerability Reporting Policy
At CallHub trust is one of our core values and we take the protection of our customer’s data seriously. CallHub appreciates the role security researchers play in internet security. We encourage responsible reporting of any vulnerabilities that are found in our marketing website or the product.
We have developed a program to make it easier for you (security researchers or customers) to report vulnerabilities to CallHub and to recognize you for your efforts to make the internet a better place. For research into our products, you may refer to our Developer Documentation and any material on the CallHub support forums.
Please review the below scope and guidelines before you test and/or report a vulnerability. CallHub pledges not to initiate legal action against researchers for penetrating or attempting to penetrate CallHub systems as long as they adhere to the below guidelines.
Vulnerability Reporting Program
To appreciate your efforts, CallHub runs a bug bounty program. If you submit a valid report on the eligible products mentioned in the Scope and Description of Vulnerability section in this policy, CallHub will consider your report to our bug bounty program. If the reported vulnerability is accepted by the security team, CallHub will provide the following incentives.
- Your full name and gravatar will be mentioned on our Security Hall Of Fame
- Organization’s name, email address (as per request)
- Links to social profile such as Twitter or LinkedIn or any previous work (as per request)
Note: Currently CallHub doesn’t provide monetary incentives for Vulnerability reporting
Scope and Description of Vulnerability
All CallHub products are in scope for reporting the vulnerabilities. Any design or implementation issue that substantially affects the confidentiality or integrity of user data is covered in the scope of this policy. Common examples include:
- XSS – Cross-site scripting
- CSRF – Cross-site request forgery
- SQL Injection
- Mixed-content scripts
- MITM – man-in-the-middle Attacks
- Authentication or authorization flaws
- SSI – Server-side code execution bugs
Following scenarios are not considered a vulnerability
- Presence or absence of HTTP headers (X-Frame-Options, nosniff, etc.)
- Exposed stack traces or 500 errors
- Content spoofing by administrative users
CallHub will reward reports with a significant impact across our entire product portfolio and we encourage you to report bugs via this program based on the below guidelines.
Reporting a potential security vulnerability:
- Privately share details of the suspected vulnerability with CallHub by sending an email to [email protected] If you are a customer you can also report the issue to [email protected]
- Provide full details of the suspected vulnerability so the CallHub team may validate and reproduce the issue
- Type of issue (cross-site scripting, SQL injection)
Product and version with the bug or a URL
- The potential impact of the vulnerability (i.e. what data can be accessed or modified)
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept or exploit code required to reproduce the vulnerability
- Type of issue (cross-site scripting, SQL injection)
We expect reporters to use their own judgment and provide sufficient details and evidence while reporting the vulnerability.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, CallHub does not permit the following conduct:
- Performing actions that may negatively affect CallHub or its users (e.g. Spam, Brute Force, DDoS Attacks)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on CallHub personnel, property or data centers
- Social engineering any CallHub employee or contractor
- Conduct vulnerability testing of participating services using anything other than test accounts
- Violating any laws or breaching any agreements in order to discover vulnerabilities
Researchers also commit to not share or publicize the reported (yet unresolved) vulnerability with/to third parties.
Once you report a vulnerability to us, the CallHub team will make efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- We will investigate all legitimate reports and respond to you with appropriate qualification (Critical, High or Medium) based on the impact
- Provide an estimated time frame for addressing the vulnerability report
- Request you for more information on the vulnerability if needed to fix the issue
- Notify you on when the vulnerability is planned to be addressed
- Inform you when the reported vulnerability is fixed
We thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at CallHub.
Security Hall of Fame
CallHub would like to thank the following people who have responsibly disclosed vulnerabilities to us:
Sahil Mehra & Shivam Kamboj Dattana