Security | HailBytes | Cloud-Ready Cybersecurity Tools

Security Architecture

Encryption Everywhere

All data is encrypted in transit using TLS 1.3 with perfect forward secrecy. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through AWS KMS and Azure Key Vault.

TLS 1.3 with modern cipher suites
AES-256 encryption at rest
Hardware Security Module (HSM) backed keys
Automatic key rotation

Network Security

Your deployments run in isolated Virtual Private Clouds (VPCs) with private subnets, security groups, and network ACLs configured according to security best practices.

Private subnet isolation
Web Application Firewall (WAF)
DDoS protection (AWS Shield, Azure DDoS)
Network traffic logging and monitoring

Access Controls

Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege ensure only authorized users can access your systems.

Multi-factor authentication (MFA) required
Role-based access control (RBAC)
Single Sign-On (SSO) support
Regular access reviews and audits

Monitoring & Logging

Comprehensive audit logging, real-time security monitoring, and anomaly detection ensure threats are identified and responded to immediately.

24/7 security monitoring
Comprehensive audit logs
Real-time alerting for anomalies
SIEM integration support

Vulnerability Management

Regular vulnerability scanning, dependency updates, and third-party penetration testing ensure our software remains secure against emerging threats.

Weekly vulnerability scanning
Automated dependency updates
Annual penetration testing
Bug bounty program

Incident Response

Documented incident response procedures, 24/7 security operations center, and customer notification protocols ensure rapid response to security events.

24/7 security operations center
Documented IR procedures
Customer notification within 72 hours
Post-incident analysis and reporting

Responsible Disclosure Program

HailBytes takes security vulnerabilities seriously. We appreciate the security research community helping us maintain the highest level of security for our customers.

Scope

The following are in scope for vulnerability disclosure:

HailBytes websites: hailbytes.com and subdomains
Product code: GoPhish Cloud and reNgine Cloud source code and Docker images
Infrastructure templates: CloudFormation and ARM templates
APIs: All public and authenticated API endpoints

Out of Scope

Customer deployments and infrastructure (test only your own deployments)
Social engineering attacks against employees
Physical security testing
Denial of Service (DoS) attacks
Third-party services (AWS, Azure, dependencies)

Reporting Guidelines

To report a security vulnerability, email us at:


              security@hailbytes.com

Please include:

Detailed description of the vulnerability
Steps to reproduce the issue
Proof of concept (if available)
Potential impact and severity assessment
Your name and contact information (for credit)

Our Commitment

When you report a vulnerability in good faith, we commit to:

Respond to your report within 2 business days
Provide an estimated timeline for fixing the issue within 1 week
Keep you informed of our progress
Credit you in our security acknowledgements (if desired)
Not pursue legal action against researchers acting in good faith

Safe Harbor

If you comply with these guidelines and act in good faith, we will not initiate legal action against you or ask law enforcement to investigate you. We consider security research conducted under this policy to be authorized.

Security Practices & Audits

SOC 2 Aligned Controls

Our infrastructure and operations follow SOC 2 Type II framework principles with security, availability, and confidentiality controls aligned to industry best practices.

Status: Framework aligned
Controls: Access management, monitoring, encryption

ISO 27001 Aligned Practices

Our Information Security Management System (ISMS) follows ISO/IEC 27001:2013 framework for systematic approach to managing sensitive information.

Framework: ISO/IEC 27001:2013
Practices: Risk management, ISMS policies

Penetration Testing

Annual third-party penetration testing by leading security firms validates our security posture. Findings are remediated according to severity with critical issues fixed within 7 days.

Frequency: Annual (plus ad-hoc testing)
Reports Available: To enterprise customers

Security Awareness Training

All HailBytes employees undergo security awareness training, secure coding training, and regular phishing simulations (using our own GoPhish Cloud, naturally).

Training: Quarterly security awareness
Simulations: Monthly phishing tests

Supply Chain Security

Secure Software Development

We follow secure software development lifecycle (SSDLC) practices to ensure our code is secure:

Code Review: All code changes undergo peer review before merging
Static Analysis: Automated SAST scanning with Semgrep and CodeQL
Dependency Scanning: Daily scanning for vulnerable dependencies with Dependabot
Container Scanning: Docker images scanned with Trivy and Snyk
Secrets Detection: Git hooks and CI/CD scanning prevent credential leaks
Signed Releases: All releases are cryptographically signed

Third-Party Risk Management

We carefully vet and monitor all third-party dependencies and services:

Vendor security assessments and questionnaires
Regular dependency updates and vulnerability patching
Software Bill of Materials (SBOM) generation for transparency
Minimal dependency philosophy to reduce attack surface

Security Hall of Fame

We thank the following security researchers for responsibly disclosing vulnerabilities:

Report a Vulnerability →

Questions About Security?

Our security team is available to answer questions, provide documentation, and assist with security assessments for enterprise customers.

Email Security Team → View Compliance Info →

Security at HailBytes