Hootsuite Security Center

Infrastructure

Hootsuite utilizes both cloud and physical servers in our infrastructure. Our cloud is provisioned by a well-known top tier provider. Our physical servers are located in Tier-4 datacenters with full power, cooling, and network redundancy.

Security

We value your data, and we work hard to protect it. We store it on multiple hosts in multiple locations and back it up regularly, as often as four times per day per datastore. Data stored on our physical servers is protected by biometric locks, multiple layers of access security, and 24x7 interior and exterior surveillance.

Host Security

Only our Engineering team has access to our production environment. SSH keys or Kerberos tokens are required for console access to servers in all of our environments. We have automated processes in place that monitor each host for unauthorized login attempts, and offending IP addresses are automatically blacklisted and alerted.

Data Rights

Hootsuite Media Inc. uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run Hootsuite. Although Hootsuite Media Inc. owns the code, databases, and all rights to the Hootsuite application, you retain all rights to your data.

Data Protection

In 2016 the European Commission approved and adopted a new framework for European data protection law called the General Data Protection Regulation (GDPR). The GDPR requirements will become effective on May 25, 2018 and will affect all companies who process personal data of individuals in the EU.

More information on the General Data Protection Regulation (GDPR).

How to Report a Security Incident

We take security very seriously at Hootsuite, and have an Information Security Bug Bounty program geared towards the identification and remediation of security issues. Hootsuite offers following rewards as bounty depending on the severity of the findings:

Critical

$100 CAD Amazon eGift Card. 

High

$75 CAD Amazon eGift Card.

Medium

$50 CAD Amazon eGift Card.

All of the gift cards are from the domain of the researcher’s choosing.  

If your finding is of medium, high, or critical severity we offer to include your name in our Hall of Fame (see below for our current list). We do not offer rewards for low severity issues.

If you are interested in submitting your findings for review, please email hootsec@hootsuite.com. Please note that, upon your submission, it might take up to 5 business days to triage and identify the right severity for the issue. If Hootsuite is already aware of the issue, we do not offer any reward for the finding. We request you not to share or publish an unresolved vulnerability with any third parties.

Please make sure the findings you are submitting are reproducible and not self exploitation issues. Make sure to include the following content in the submission:

• Title of the finding

• Description of the finding

• Location of the finding (product module/page)

• Steps to reproduce (include Request/Response logs if applicable)

• Screen shots/Video recording (if applicable)

• Severity

Proof of Impact

A demonstrated proof of impact is mandatory for all submissions. Clearly illustrate the security risk and potential harm caused by the vulnerability. Theoretical vulnerabilities without a practical impact will not be accepted.

In-Scope Domains

The following domains are in scope for our bug bounty program:

• *.hootsuite.com

• *.talkwalker.com

• *.sparkcentral.com

• *.heyday.ai

• *.adespresso.com

Ineligible Vulnerability Types

Please note that Hootsuite does not consider the following to be eligible vulnerabilities under this program:

• Vulnerabilities in the third party/open source components

• Distributed Denial of Service

• Social Engineering/phishing issues

• Email bomb/flooding

• Findings from the automated scanners which are not triaged

• Disclosure of server or software version numbers

• Password strength or policy

• Security issues which can only be exploited with jailbroken or rooted devices.

• Self exploitation attacks.

• Vulnerabilities which can be only exploited in outdated browsers

• Subresource integrity checks

• Header misconfigurations or missing security headers without evidence of the ability to target a remote victim

• Unclaimed social media accounts, links or domains which look similar to Hootsuite.

• DMARC/SPF issues

• Issues related to TLS/SSL versions

• Information or credentials obtained from pre-existing data breaches or publicly leaked sources

For incidents that affect a single account, please contact Hootsuite Help, they are your fastest response for single-user security issues.

How to Draft a Report

For a deep dive into mastering the art of bug reporting, check out the comprehensive guide at the Intigriti Hackademy.

See below for an example of the format to use to report a vulnerability.

Report Template: Cross-Site Scripting (XSS)

Title: Cross-Site Scripting | [Component Name] | [Affected Parameter]

Example: Cross-Site Scripting | Input not sanitized in Settings Page

Severity (CVSS): 5.5

(Calculate your score using the CVSS v4.0 Calculator)

Description

A Cross-Site Scripting (XSS) vulnerability exists when the application fails to properly sanitize or escape user-supplied input. This allows an attacker to embed and execute malicious scripts within the victim's browser context.

Proof of Concept (PoC)

• Final Impact: [Insert image showing the executed payload (e.g., alert box with origin)]

• Vulnerability Context: [Insert image showing the injected payload within the source code or UI]

Note: Keep this section concise. Let the visual evidence demonstrate the immediate impact.

Steps to Reproduce

1. Navigate to: http://target-url.com/affected-page

2. Locate the [Field Name] (e.g., Username field).

3. Input the following payload:

   HTML<script>alert(document.domain)</script>

4. [Insert Image: Highlight specific buttons or navigation paths here]

5. Action 1: Click the 'Save' button.

6. Action 2: Refresh the page.

7. Action 3: Observe the script execution.

Remediation (Recommended)

• Input Validation: Implement strict allow-lists for all user-supplied data.

• Output Encoding: Use context-aware output encoding (e.g., HTML entity encoding) before rendering data in the browser.

• Further Reading: Refer to the OWASP XSS Prevention Cheat Sheet.

Hootsuite’s InfoSec Team Commitment

Once you submit your findings our Information security team and associated development teams are committed to:

• Acknowledge the reported finding

• Provide an estimate to triage the vulnerability and identify whether it is a true positive or false positive.

• If it is a true positive provide an estimate on timelines to fix the finding

• Inform you once your finding is remediated

• If applicable send you awards as described above.

We appreciate the efforts of every individual researcher who submits a vulnerability report and helps us in improving the Hootsuite’s security posture.

Miscellaneous

Hootsuite reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. The testing must not violate any law, disrupt and/or compromise any data that is not your own. Additional restrictions might be applied on the bounty depending on your local laws.

Failure to follow any of the above mentioned rules will disqualify you from participating in this program.

Thank You

We respect the effort and skill that goes into finding and disclosing security flaws. We are grateful for the generosity and support of the following individuals and/or organizations: