Home »
Responsible Disclosure
Reporting Security Vulnerabilities
If you believe you’ve found a security vulnerability in our software please email it to [email protected]. It will be very valuable to us, if you can include the following details in your email submission:
- Description of the location and potential impact of the vulnerability;
- Steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
We will usually respond with an acknowledgement within 96 hours. If you do not receive any response from us the issue may have already been reported or the description provided by isn’t understandable. We request you to adhere to the principles of responsible disclosure which are, but not limited to
- Access and expose customer data that is your own.
- Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).
- Keep within the guidelines of our Terms Of Service.
- Keep details of vulnerabilities secret until the CallHippo security team has been notified and had a reasonable amount of time to fix the vulnerability.
Refrain from Public Disclosure
Taking into consideration the safety of our customers/users please do not publish any security vulnerabilities. We expect to fix all security issues within 30 days from the date of the reported security issue. Once an issue has been fixed we will explicitly acknowledge this and at which time you are free to publish your work.
Rewards & Recognition
To show our appreciation of responsible disclosure, CallHippo will provide recognition and create your profile with all your details in our ‘Hall of Fame’, depending on various factors mentioned below:
Here you can have a look
- You are the first person to report the vulnerability.
- The vulnerability level of the reported issue.
- You have complied with our guidelines.
Hall of Fame, here are the people who contributed to the security of CallHippo by reporting the vulnerability and responsibly disclosing it to us. Thank you for your responsible efforts! (add page link)
If you prefer to remain anonymous, we encourage you to use pseudonym when reporting.