Infrastruttura

Hootsuite ha un'infrastruttura basata sia sul cloud che su server fisici. Il cloud è fornito da un provider di primissimo livello. I server fisici sono localizzati in datacenter Tier-4 completamente ridondanti a livello di circuiti elettrici, di raffreddamento e rete.

Sicurezza

Diamo valore ai tuoi dati e ci impegniamo a proteggerli. Li archiviamo in host multipli e in posti diversi, eseguiamo il backup regolarmente, fino a quattro volte al giorno per archivio dati. I dati archiviati nei nostri server fisici sono protetti da serrature biometriche, da vari livelli di sicurezza per l'accesso e da una sorveglianza esterna e interna 24x7.

Sicurezza degli host

Solo il nostro team di ingegneri ha accesso all'ambiente di produzione. Per l'accesso tramite console ai nostri server sono necessarie chiavi SSH o token Kerberos. Abbiamo adottato processi automatizzati di controllo degli host che bloccano qualsiasi tentativo di accesso non autorizzato. Inoltre, gli indirizzi IP da cui provengono le minacce vengono inseriti in una black list e segnalati automaticamente.

Diritti relativi ai dati inseriti

Per poter offrire i propri servizi, hardware, software, networking, archivi e le tecnologie correlate e necessarie, Hootsuite Media Inc. collabora con fornitori esterni e partner per l'hosting. Sebbene Hootsuite Media Inc. sia proprietaria del codice, dei database e di tutti i diritti sulle applicazioni Hootsuite, l'utente conserva i propri diritti su tutti i dati inseriti.

Protezione dei dati

In 2016 the European Commission approved and adopted a new framework for European data protection law called the General Data Protection Regulation (GDPR). The GDPR requirements will become effective on May 25, 2018 and will affect all companies who process personal data of individuals in the EU.

More information on the General Data Protection Regulation (GDPR).

Come segnalare un incidente relativo alla sicurezza

We take security very seriously at Hootsuite, and have an Information Security Bug Bounty program geared towards the identification and remediation of security issues. Hootsuite offers following rewards as bounty depending on the severity of the findings:

Critical

$100 CAD Amazon eGift Card. 

Alta

$75 CAD Amazon eGift Card.

Media

$50 CAD Amazon eGift Card.

All of the gift cards are from the domain of the researcher’s choosing.  

If your finding is of medium, high, or critical severity we offer to include your name in our Hall of Fame (see below for our current list). We do not offer rewards for low severity issues.

If you are interested in submitting your findings for review, please email hootsec@hootsuite.com. Please note that, upon your submission, it might take up to 5 business days to triage and identify the right severity for the issue. If Hootsuite is already aware of the issue, we do not offer any reward for the finding. We request you not to share or publish an unresolved vulnerability with any third parties.

Please make sure the findings you are submitting are reproducible and not self exploitation issues. Make sure to include the following content in the submission:

• Title of the finding

• Description of the finding

• Location of the finding (product module/page)

• Steps to reproduce (include Request/Response logs if applicable)

• Schermate/registrazione video (se applicabile)

• Severità

Ineligible vulnerability types

Please note that Hootsuite does not consider the following to be eligible vulnerabilities under this program:

• Vulnerabilità nei componenti di terze parti/open source

• Distributed Denial of Service

• Social Engineering/phishing issues

• Email bomb/flooding

• Findings from the automated scanners which are not triaged

• Disclosure of server or software version numbers

• Password strength or policy

• Security issues which can only be exploited with jailbroken or rooted devices.

• Self exploitation attacks.

• Vulnerabilities which can be only exploited in outdated browsers

• Subresource integrity checks

• Header misconfigurations or missing security headers without evidence of the ability to target a remote victim

• Unclaimed social media accounts, links or domains which look similar to Hootsuite.

• Problemi DMARC/SPF

• Problemi relativi alle versioni di TLS/SSL

For incidents that affect a single account, please contact Hootsuite Help, they are your fastest response for single-user security issues.

Hootsuite’s InfoSec team commitment

Una volta che avrete inviato i vostri risultati, il nostro team di sicurezza informatica e i team di sviluppo associati si impegnano a:

• Acknowledge the reported finding

• Provide an estimate to triage the vulnerability and identify whether it is a true positive or false positive.

• Se si tratta di un vero positivo, fornisca una stima delle tempistiche per correggere il problema

• Inform you once your finding is remediated

• If applicable send you awards as described above.

We appreciate the efforts of every individual researcher who submits a vulnerability report and helps us in improving the Hootsuite’s security posture.

Varie

Hootsuite reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. The testing must not violate any law, disrupt and/or compromise any data that is not your own. Additional restrictions might be applied on the bounty depending on your local laws.

Failure to follow any of the above mentioned rules will disqualify you from participating in this program.

Grazie

We respect the effort and skill that goes into finding and disclosing security flaws. We are grateful for the generosity and support of the following individuals and/or organizations: