About Us

Callsign makes digital life smoother and safer by helping organizations establish and preserve digital trust so people can get on with their digital lives. We use deep learning techniques combining event, threat, and behavioral analytics with multi-factor authentication to provide risk intelligence in real-time – enabling organizations to intelligently adjust authentication journeys and catch fraudulent activity more effectively.  

Callsign IDA is the first true representation of identity online, built to enhance digital trust.

Purpose

This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at Callsign information systems, and submitting discovered vulnerabilities to Callsign. If questions arise, please take no action until that action is discussed with The Callsign Security Team.

Overview

Maintaining the security of our systems and networks is a high priority for Callsign. Our information technologies provide critical services to our customers, Callsign employees and contractors. Recognizing that the broader security research community regularly makes valuable contributions to the security of the Internet, Callsign believes that a close relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you!

Please review program terms and conditions carefully before conducting any testing of Callsign networks and submitting a report. You must agree to abide by these terms and conditions. Failure to abide by the terms and conditions will result in the loss of being considered a security researcher under the program.

Scope

Information systems, web property, or data owned, operated, or controlled by Callsign.

How to Submit a Report

Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report,” you are indicating that you have read, understood, and agreed to the terms and conditions of the program for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Callsign information systems, and that you consent to having the contents of the communication and follow-up communications stored on a information system.

Guidelines

Callsign will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these terms and conditions:

• Your activities are limited exclusively to –

• (1) Testing, through remote means, to detect a vulnerability or identify an indicator related to a vulnerability; and

• (2) Sharing information solely with Callsign or receiving information from Callsign about a vulnerability or an indicator related to a vulnerability.

• You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.

• You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on a Callsign information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is set of information resources for collecting, processing, maintaining, using, sharing, or disseminating information.

• You will not exfiltrate any data under any circumstances.

• You will not intentionally compromise the privacy or safety of Callsign personnel, or any third parties.

• You will not intentionally compromise the intellectual property or other commercial or financial interests of any Callsign personnel or entities, or any third parties.

• You will not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from Callsign.

• If during your research you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by Callsign and report to Callsign that you have done so.

• You will not conduct denial of service testing.

• You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerning Callsign personnel or contractors.

• You will not submit a high-volume of low-quality reports.

• If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities.

Callsign has a complex technology footprint, therefore the time to resolution can vary.

Callsign remains committed to coordinating with the security researcher transparently and promptly. This includes taking the following actions:

• Within ten business days, Callsign will acknowledge receipt of your report. Callsign’s Security Team will investigate the report and may contact you for further information.

• When practicable and authorized, Callsign will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.

• Callsign wants researchers to be recognized publicly for their contributions if that is the researcher’s desire. Callsign will seek to allow researchers desiring to be publicly recognized, when practicable and authorized. However, public disclosure of vulnerabilities will only be authorized by the express written consent of Callsign.

Out of Scope

Please, always review and follow the "Scope" section of this program and never test systems that are explicitly out of it. This is because those systems use 3rd party providers that we do not own and/or control so, you are not going to be covered by the Terms and Conditions of our program and they can try to find and fine you.

As an example, out of scope is: www.callsign.com

This is because we have multiple connected 3rd party systems like HubSpot (https://www.hubspot.com) on pages like: https://www.callsign.com/#book-a-demo

Legal

This policy does not grant authorization, permission, or otherwise allow express or implied access to Callsign information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a security researcher working in accordance with the terms and conditions of this Vulnerability Disclosure Program (VDP) discloses a vulnerability, then Callsign will, in the exercise of its authorities, take the following steps to: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that researcher, and (2) Inform the pertinent law enforcement agencies or civil plaintiffs that the researchers activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of the program.

You must otherwise comply with all applicable country, state, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability.

Callsign may modify the terms and conditions or terminate the program at any time.