Security at HailBytes

Security is built into HailBytes products, operations, and disclosure practices.

Security Architecture

Encryption Everywhere

All data is encrypted in transit using TLS 1.3 with perfect forward secrecy. Data at rest is encrypted using AES-256-GCM. Encryption keys are managed through AWS KMS and Azure Key Vault.

  • TLS 1.3 with modern cipher suites
  • AES-256 encryption at rest
  • Hardware Security Module (HSM) backed keys
  • Automatic key rotation

Network Security

Your deployments run in isolated Virtual Private Clouds (VPCs) with private subnets, security groups, and network ACLs configured according to security best practices.

  • Private subnet isolation
  • Web Application Firewall (WAF)
  • DDoS protection (AWS Shield, Azure DDoS)
  • Network traffic logging and monitoring

Access Controls

Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege ensure only authorized users can access your systems.

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Single Sign-On (SSO) support
  • Regular access reviews and audits

Monitoring & Logging

Comprehensive audit logging, real-time security monitoring, and anomaly detection ensure threats are identified and responded to immediately.

  • 24/7 security monitoring
  • Comprehensive audit logs
  • Real-time alerting for anomalies
  • SIEM integration support

Vulnerability Management

Regular vulnerability scanning, dependency updates, and third-party penetration testing ensure our software remains secure against emerging threats.

  • Weekly vulnerability scanning
  • Automated dependency updates
  • Annual penetration testing
  • Bug bounty program

Incident Response

Documented incident response procedures, 24/7 security operations center, and customer notification protocols ensure rapid response to security events.

  • 24/7 security operations center
  • Documented IR procedures
  • Customer notification within 72 hours
  • Post-incident analysis and reporting

Responsible Disclosure Program

HailBytes welcomes responsible security research. Independent researchers help us identify and remediate issues before they affect customers.

Scope

The following are in scope for vulnerability disclosure:

  • HailBytes websites: hailbytes.com and subdomains
  • Product code: HailBytes SAT and HailBytes ASM source code and Docker images
  • Infrastructure templates: CloudFormation and ARM templates
  • APIs: All public and authenticated API endpoints

Out of Scope

  • Customer deployments and infrastructure (test only your own deployments)
  • Social engineering attacks against employees
  • Physical security testing
  • Denial of Service (DoS) attacks
  • Third-party services (AWS, Azure, dependencies)

Reporting Guidelines

To report a security vulnerability, email us at:

security@hailbytes.com

Please include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (if available)
  • Potential impact and severity assessment
  • Your name and contact information (for credit)

Our Commitment

When you report a vulnerability in good faith, we commit to:

  • Respond to your report within 2 business days
  • Provide an estimated timeline for fixing the issue within 1 week
  • Keep you informed of our progress
  • Credit you in our security acknowledgements (if desired)
  • Not pursue legal action against researchers acting in good faith

Safe Harbor

If you comply with these guidelines and act in good faith, HailBytes will not initiate legal action against you or ask law enforcement to investigate you. Security research conducted under this policy is authorized.

Security Practices & Audits

SOC 2 Aligned Controls (US AICPA)

HailBytes infrastructure and operations follow SOC 2 Type II framework principles — the primary US Enterprise procurement attestation — with security, availability, and confidentiality controls aligned to AICPA best practices. SOC 2 Type 2 direct audit engagement with Jack Moore Group is in late-stage contracting; target attestation 2026-H2 to 2027-Q1 contingent on observation-window completion.

Status: Framework aligned, Type 2 direct engagement signature imminent
Controls: Access management, monitoring, encryption

ISO 27001 Aligned Practices (Global)

HailBytes’ Information Security Management System (ISMS) follows the international ISO/IEC 27001:2022 framework for systematic management of sensitive information. Formal certification is evaluated post-SOC 2 Type 2 attestation.

Framework: ISO/IEC 27001:2022 (international)
Practices: Risk management, ISMS policies, Annex A controls

Penetration Testing

Annual third-party penetration testing by leading security firms validates our security posture. Findings are remediated according to severity with critical issues fixed within 7 days.

Frequency: Annual (plus ad-hoc testing)
Reports Available: To enterprise customers

Security Awareness Training

All HailBytes employees undergo security awareness training, secure coding training, and regular phishing simulations using HailBytes SAT.

Training: Quarterly security awareness
Simulations: Monthly phishing tests

Platform Hardening (Marketplace Deployments)

Concrete settings shipped on the AWS Marketplace AMI and Azure Marketplace VM image. These are defaults; operators can tighten further, but every fresh deployment starts here.

Operating system baseline

  • Ubuntu 24.04 LTS with minimized package set
  • Kernel parameters tuned for network and memory hardening (net.ipv4.tcp_syncookies=1, kernel.kptr_restrict=2, etc.)
  • Unattended security updates enabled by default
  • Audit subsystem (auditd) capturing privileged commands and authentication events
  • Time sync via chrony against the public NTP pool

SSH daemon

  • Password authentication disabled; key-based only
  • Root login disabled
  • KexAlgorithms restricted to curve25519-sha256 and diffie-hellman-group16-sha512 family
  • Ciphers restricted to chacha20-poly1305 and AES-GCM
  • MACs restricted to ETM-mode SHA-2
  • Login grace time tightened, max sessions capped

Web stack

  • TLS 1.2/1.3 only; modern cipher suites; HSTS enabled
  • Content Security Policy with per-request nonces on inline scripts
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy set to restrictive values
  • Application-layer rate limits (anonymous 20/min, authenticated 200/min, scan initiations 10/min) returning 429 with Retry-After
  • Input sanitization with output encoding for all UI-rendered content

Application layer

  • API keys SHA-256 hashed at rest; plaintext value never stored
  • Per-key expiration and per-key revocation
  • OIDC SSO with role mapping; SCIM provisioning available
  • 21-action audit log including actor, IP, user agent, and target resource
  • RBAC scoped to projects and organizations for multi-tenant deployments

Database & data path

  • PostgreSQL 16 with PgBouncer connection pooling
  • Encryption at rest via cloud-provider managed keys (AWS KMS, Azure Key Vault)
  • Daily automated snapshots; point-in-time recovery on managed deployments
  • Database listeners bound to the application network only; no public exposure
  • Migrations gated through the application; no manual schema drift

Container & build chain

  • Multi-architecture images (ARM64 and AMD64), pre-built Go tool binaries
  • Images scanned with Trivy in CI; vulnerable releases blocked
  • Marketplace images built reproducibly via Packer
  • OIDC federation for AWS and Azure marketplace CI builds (no long-lived cloud credentials)
  • SBOM generated on every release

Operators who need to tighten further can find the full hardening reference in the docs/HARDENING_GUIDE.md shipped with the source distribution. Government cloud deployments (AWS GovCloud, Azure Government) inherit the same baseline plus FedRAMP-aligned overrides.

Supply Chain Security

Secure Software Development

We follow secure software development lifecycle (SSDLC) practices to ensure our code is secure:

  • Code Review: All code changes undergo peer review before merging
  • Static Analysis: Automated SAST scanning with Semgrep and CodeQL
  • Dependency Scanning: Daily scanning for vulnerable dependencies with Dependabot
  • Container Scanning: Docker images scanned with Trivy and Snyk
  • Secrets Detection: Git hooks and CI/CD scanning prevent credential leaks
  • Signed Releases: All releases are cryptographically signed

Third-Party Risk Management

We carefully vet and monitor all third-party dependencies and services:

  • Vendor security assessments and questionnaires
  • Regular dependency updates and vulnerability patching
  • Software Bill of Materials (SBOM) generation for transparency
  • Minimal dependency philosophy to reduce attack surface

Security Hall of Fame

We thank the following security researchers for responsibly disclosing vulnerabilities:

Ubaid Ahmed

Ubaid Ahmed

February 19, 2025

HailBytes ASM disclosure

Flv-cmd

Flv-cmd

January 30, 2025

HailBytes ASM disclosure

YSalai

YSalai

January 15, 2025

HailBytes ASM disclosure

Report a Vulnerability →

Questions About Security?

Our security team is available to answer questions, provide documentation, and assist with security assessments for enterprise customers.

Email Security Team → View Compliance Info →