Infraestrutura

A infraestrutura da Hootsuite usa servidores físicos e baseados em nuvem. Nossa nuvem é disponibilizada por um provedor de altíssimo nível. Nossos servidores físicos estão localizados em datacenters Tier-4 com potência máxima, resfriamento total e redundância de rede.

Segurança

Valorizamos seus dados e trabalhamos arduamente para protegê-los, armazenando-os em hosts sediados em vários locais diferentes. Além disso, fazemos backup pelo menos quatro vezes por dia por repositório de dados. Os dados armazenados em nossos servidores físicos são protegidos por fechaduras biométricas, diversos níveis de segurança de acesso e por vigilância interna e externa 24 horas por dia, sete dias por semana.

Segurança de host

Só a nossa equipe de engenharia tem acesso ao ambiente de produção. Em todos os nossos ambientes, para obter acesso aos servidores é necessário o uso de chaves SSH e tokens Kerberos. Usamos processos automatizados que monitoram todos os hosts para o caso de tentativas de acesso não autorizadas. Os endereços IP dos invasores são automaticamente bloqueados e um alerta é emitido.

Direitos de dados

A Hootsuite Media Inc. usa os serviços de fornecedores e parceiros de hospedagem para obter hardware, software, redes, armazenamento e outras tecnologias para a execução da Hootsuite. Embora o código, os bancos de dados e todos os direitos relativos ao aplicativo Hootsuite pertençam à Hootsuite Media Inc., os direitos relativos aos seus dados permanecem em sua propriedade.

Data Protection

In 2016 the European Commission approved and adopted a new framework for European data protection law called the General Data Protection Regulation (GDPR). The GDPR requirements will become effective on May 25, 2018 and will affect all companies who process personal data of individuals in the EU.

More information on the General Data Protection Regulation (GDPR).

Como relatar um incidente de segurança

We take security very seriously at Hootsuite, and have an Information Security Bug Bounty program geared towards the identification and remediation of security issues. Hootsuite offers following rewards as bounty depending on the severity of the findings:

Critical

$100 CAD Amazon eGift Card. 

Alta

$75 CAD Amazon eGift Card.

Médio

$50 CAD Amazon eGift Card.

All of the gift cards are from the domain of the researcher’s choosing.  

If your finding is of medium, high, or critical severity we offer to include your name in our Hall of Fame (see below for our current list). We do not offer rewards for low severity issues.

If you are interested in submitting your findings for review, please email hootsec@hootsuite.com. Please note that, upon your submission, it might take up to 5 business days to triage and identify the right severity for the issue. If Hootsuite is already aware of the issue, we do not offer any reward for the finding. We request you not to share or publish an unresolved vulnerability with any third parties.

Please make sure the findings you are submitting are reproducible and not self exploitation issues. Make sure to include the following content in the submission:

• Title of the finding

• Description of the finding

• Location of the finding (product module/page)

• Steps to reproduce (include Request/Response logs if applicable)

• Capturas de tela/gravação de vídeo (se aplicável)

• Gravidade

Ineligible vulnerability types

Please note that Hootsuite does not consider the following to be eligible vulnerabilities under this program:

• Vulnerabilidades nos componentes de terceiros/código aberto

• Distributed Denial of Service

• Questões de engenharia social/phishing

• Email bomb/flooding

• Findings from the automated scanners which are not triaged

• Disclosure of server or software version numbers

• Password strength or policy

• Security issues which can only be exploited with jailbroken or rooted devices.

• Self exploitation attacks.

• Vulnerabilities which can be only exploited in outdated browsers

• Subresource integrity checks

• Header misconfigurations or missing security headers without evidence of the ability to target a remote victim

• Unclaimed social media accounts, links or domains which look similar to Hootsuite.

• Problemas de DMARC/SPF

• Questões relacionadas às versões de TLS/SSL

For incidents that affect a single account, please contact Hootsuite Help, they are your fastest response for single-user security issues.

Hootsuite’s InfoSec team commitment

Once you submit your findings our Information security team and associated development teams are committed to:

• Acknowledge the reported finding

• Provide an estimate to triage the vulnerability and identify whether it is a true positive or false positive.

• Se for um verdadeiro positivo, forneça uma estimativa dos prazos para corrigir a constatação

• Inform you once your finding is remediated

• If applicable send you awards as described above.

We appreciate the efforts of every individual researcher who submits a vulnerability report and helps us in improving the Hootsuite’s security posture.

Diversos

Hootsuite reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. The testing must not violate any law, disrupt and/or compromise any data that is not your own. Additional restrictions might be applied on the bounty depending on your local laws.

Failure to follow any of the above mentioned rules will disqualify you from participating in this program.

Obrigado

We respect the effort and skill that goes into finding and disclosing security flaws. We are grateful for the generosity and support of the following individuals and/or organizations: