Security at HailBytes
Built by security professionals, for security professionals. Security is at the core of everything we do.
Security Architecture
Encryption Everywhere
All data is encrypted in transit using TLS 1.3 with perfect forward secrecy. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through AWS KMS and Azure Key Vault.
- TLS 1.3 with modern cipher suites
- AES-256 encryption at rest
- Hardware Security Module (HSM) backed keys
- Automatic key rotation
Network Security
Your deployments run in isolated Virtual Private Clouds (VPCs) with private subnets, security groups, and network ACLs configured according to security best practices.
- Private subnet isolation
- Web Application Firewall (WAF)
- DDoS protection (AWS Shield, Azure DDoS)
- Network traffic logging and monitoring
Access Controls
Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege ensure only authorized users can access your systems.
- Multi-factor authentication (MFA) required
- Role-based access control (RBAC)
- Single Sign-On (SSO) support
- Regular access reviews and audits
Monitoring & Logging
Comprehensive audit logging, real-time security monitoring, and anomaly detection ensure threats are identified and responded to immediately.
- 24/7 security monitoring
- Comprehensive audit logs
- Real-time alerting for anomalies
- SIEM integration support
Vulnerability Management
Regular vulnerability scanning, dependency updates, and third-party penetration testing ensure our software remains secure against emerging threats.
- Weekly vulnerability scanning
- Automated dependency updates
- Annual penetration testing
- Bug bounty program
Incident Response
Documented incident response procedures, 24/7 security operations center, and customer notification protocols ensure rapid response to security events.
- 24/7 security operations center
- Documented IR procedures
- Customer notification within 72 hours
- Post-incident analysis and reporting
Responsible Disclosure Program
HailBytes takes security vulnerabilities seriously. We appreciate the security research community helping us maintain the highest level of security for our customers.
Scope
The following are in scope for vulnerability disclosure:
- HailBytes websites: hailbytes.com and subdomains
- Product code: GoPhish Cloud and reNgine Cloud source code and Docker images
- Infrastructure templates: CloudFormation and ARM templates
- APIs: All public and authenticated API endpoints
Out of Scope
- Customer deployments and infrastructure (test only your own deployments)
- Social engineering attacks against employees
- Physical security testing
- Denial of Service (DoS) attacks
- Third-party services (AWS, Azure, dependencies)
Reporting Guidelines
To report a security vulnerability, email us at:
security@hailbytes.comPlease include:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Proof of concept (if available)
- Potential impact and severity assessment
- Your name and contact information (for credit)
Our Commitment
When you report a vulnerability in good faith, we commit to:
- Respond to your report within 2 business days
- Provide an estimated timeline for fixing the issue within 1 week
- Keep you informed of our progress
- Credit you in our security acknowledgements (if desired)
- Not pursue legal action against researchers acting in good faith
Safe Harbor
If you comply with these guidelines and act in good faith, we will not initiate legal action against you or ask law enforcement to investigate you. We consider security research conducted under this policy to be authorized.
Security Practices & Audits
SOC 2 Aligned Controls
Our infrastructure and operations follow SOC 2 Type II framework principles with security, availability, and confidentiality controls aligned to industry best practices.
Status: Framework aligned
Controls: Access management, monitoring, encryption
ISO 27001 Aligned Practices
Our Information Security Management System (ISMS) follows ISO/IEC 27001:2013 framework for systematic approach to managing sensitive information.
Framework: ISO/IEC 27001:2013
Practices: Risk management, ISMS policies
Penetration Testing
Annual third-party penetration testing by leading security firms validates our security posture. Findings are remediated according to severity with critical issues fixed within 7 days.
Frequency: Annual (plus ad-hoc testing)
Reports Available: To enterprise customers
Security Awareness Training
All HailBytes employees undergo security awareness training, secure coding training, and regular phishing simulations (using our own GoPhish Cloud, naturally).
Training: Quarterly security awareness
Simulations: Monthly phishing tests
Supply Chain Security
Secure Software Development
We follow secure software development lifecycle (SSDLC) practices to ensure our code is secure:
- Code Review: All code changes undergo peer review before merging
- Static Analysis: Automated SAST scanning with Semgrep and CodeQL
- Dependency Scanning: Daily scanning for vulnerable dependencies with Dependabot
- Container Scanning: Docker images scanned with Trivy and Snyk
- Secrets Detection: Git hooks and CI/CD scanning prevent credential leaks
- Signed Releases: All releases are cryptographically signed
Third-Party Risk Management
We carefully vet and monitor all third-party dependencies and services:
- Vendor security assessments and questionnaires
- Regular dependency updates and vulnerability patching
- Software Bill of Materials (SBOM) generation for transparency
- Minimal dependency philosophy to reduce attack surface
Security Hall of Fame
We thank the following security researchers for responsibly disclosing vulnerabilities:
Questions About Security?
Our security team is available to answer questions, provide documentation, and assist with security assessments for enterprise customers.