Introduction
At Caller ID Reputation®, the security of our customers’ data is our top priority. We routinely apply various measures to protect our staff and customers from cyberattacks and other forms of unauthorized access/exposure.
Compliance
Caller ID Reputation® is System and Organization Controls 2 (SOC 2) Type 1 and 2 compliant. To request access to our SOC 2 Type 2 report, click here.
Operational Security
Transparency in how we secure our platforms & infrastructure is paramount to gaining the trust and confidence of our customers. Caller ID Reputation® implements the following standards:
- Systems are architected in a zero-trust environment that follow principle of least privilege and auditing of access. Secure software is required in order to gain access to any instances in our technical stack.
- Network firewalls and intrusion prevention systems are applied at all levels, including the usage of a Web Application Firewall and various OS-level security modules.
- Sensitive information such as passwords are hashed via a one-way, industry standard algorithm that cannot be reverted to cleartext. Payment information is not stored directly in our systems, and any needed information is masked.
- All personnel are mandated to use multi-factor authentication via hardware security keys. Hardware keys greatly increase resistance to phishing attacks and other attempts of unauthorized access.
- Caller ID Reputation® will disclose any incident that impacted customers within 14 days.
Bug Bounty & Disclosure Program
Caller ID Reputation® is committed to a bug-free, secure environment for our employees and customers. We stay up to date with security technologies and always work to improve our infrastructure. However, systems are made by humans, and some things can end up slipping through the cracks. If you have discovered a security issue that you believe we should know about, we’d love to hear about it and offer compensation and/or responsible disclosure for higher-risk vulnerabilities.
Program Submissions
Any security issue or vulnerability you find can be disclosed to us via email: security@calleridreputation.com. After submission, you can expect a response within 24 business hours.
Scope of Program
The scope of this program applies to the following services/applications:
- Website – calleridreputation.com
- Platform – app.calleridrep.com
- APIs – enterprise.calleridrep.com/partner-api.calleridreputation.com
- Partner Platform – partner.calleridreputation.com
- Device Cloud
- Call Tester
Anything not listed here is considered out of scope.
Program Submission/Testing Rules
Failure to adhere to these rules may disqualify the reporter for Caller ID Reputation®’s Responsible Disclosure Program.
At no point will your submission or acts involve any form of:
- Denial-of-service (DoS/DDoS) attacks.
- Social engineering or phishing attacks against Caller ID Reputation® customers, employees, or contractors.
- Large exfiltration of data.
- Any action that damages or impacts the operation of Caller ID Reputation® systems.
- Storage of any sensitive or otherwise personal information. You must destroy any exfiltrated data after submission in a responsible, vetted manner.
- Testing vulnerabilities on any accounts you do not own or have consent to test on.
- Using any publicly available vulnerability disclosed within the last 14 days.
- Public disclosure of a vulnerability without prior authorization.
Your submission must include personal contacts such as your name and email. In your submission, please provide full documentation and proof of vulnerability, such as steps to reproduce, screenshots, videos, etc.
In addition, refrain from submitting reports that are hypothetical or do not have a practical impact on the operation or security of our applications/data (for example, improper mail headers or self-XSS). While we appreciate any submitted findings, only vulnerabilities that have a reasonable impact are accepted as part of our bug bounty and disclosure programs.