Security response
We appreciate your concern
Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.
Reporting security problems
If you are a HEY customer and your account is under an attack such as hacking or mailbombing, send us an email at shield@hey.com. We will respond within two hours and work with you to counter the attack.
Report security vulnerabilities via our bug bounty program on HackerOne. We’ll review your report and get back to you as soon as we can, usually within 72 hours. Please email our Security team if you have questions about the bug bounty program or don’t hear back from us on HackerOne in a timely manner.
For other urgent or sensitive reports, please email our Security team. If you feel it necessary, use our public key to keep your message safe and please provide us with a secure way to respond. We’ll respond as soon as we can. Please follow up or ping us on Twitter if you don’t hear back.
For requests that aren’t urgent or sensitive: submit a support request.
Tracking and disclosing security issues
We work with security researchers to keep up with the state-of-the-art in web security. Have you discovered a web security flaw that might impact our products? Please let us know. If you submit a report, here’s what will happen:
- We’ll acknowledge your report.
- We’ll triage your report and determine whether it’s eligible for a bounty.
- We’ll investigate the issue and determine how it impacts our products. We won’t disclose issues until they’ve been fully investigated and patched, but we’ll work with you to ensure we fully understand severity and impact.
- Once the issue is resolved, we’ll post a security update along with thanks and credit for the discovery.
Our products are built on the Ruby on Rails framework (which we created and maintain). The issue you reported might affect Rails, Ruby, or some other part of our technology stack. We ask for your patience while we also make sure other companies and their customers are protected. Either way, you’ll always have a 37signals contact for your issue.
Thanks for working with us
We respect the time and talent that drives new discoveries in web security technology. The following researchers and companies have gone out of their way to work with us to find, fix, and disclose security flaws safely:
- Brett Hardin
- Brian Mastenbrook
- Clouds
- Emanuel Bronshtein
- Jeremy Mack
- John Firebaugh
- Kamil Sevi
- Marko Karppinen
- Matasano Security
- MustLive
- Nathan Kontny
- nGenuity Information Services
- ONZRA
- Óscar Repáraz
- Rakan Alotaibi @hxteam
- Simon Brown
- Tim Bach
- Jan Habermann
- John Menerick
- Prajal Kulkarni
- Ajay Singh Negi
- Harsha Vardhan Boppana (Login Security Solution § Limited)
- Frans Rosén
- Rafay Baloch
- M.R. Vignesh Kumar
- Himanshu Kumar Das
- Krutarth Shukla
- Ahmad Ashraff
- InverseKey
- Adino Namchu
- Atulkumar Hariba Shedage
- West Arete
- Abhinav Karnawat / w4rri0r /
- Mahadev subedi
- Vedachala
- Ehraz Ahmed
- Umraz Ahmed
- Ahsan Akhtar
- Jose Pino
- Priyal Viroja
- Chris Raethke (Bugcrowd)
- Siddhesh Gawde
- Vinesh N. Redkar
- Swapnil Thaware
- Hammad Shamsi
- Saurabh Chandrakant Nemade
- Nitin Goplani
- Sahil Saif
- Rafael Pablos
- Nutan Kumar Panda
- Koutrouss Naddara
- Gurjant Singh
- Mayank Kapoor
- FailHunters Crew
- Daniel Alvear(MaztoR IN-Security)
- Ali Hassan Ghori (@alihasanghauri)
- Rodolfo Godalle Jr.
- Simone Memoli
- Daksh Patel
- Jovan Šikanja
- Muhammad Talha Khan
- Yash Pandya
- Mark Dodwell
- Gabe Marshall
- Matt Jaynes
- Nakul Mohan (@Anonymous_India)
- Hardik Tailor
- Marques Johansson
- Rishiraj Sharma
- Yogendra Sharma
- Prashant Padmashali
- Apoorv Joshi
- Shivam Kumar Agarwal, Nithish Varghese, and Sahil Srivastava
- Shahmeer Amir
- Hamid Ashraf
- Babar Khan Akhunzada
- Ramin Farajpour Cami
- Yassine Aboukir
- Vikas Anil Sharma
- Gaurang Bhatnagar
- Ahmed Adel Abdelfattah
- Sumit Sahoo
- Vishnu Prasanth G
- Ashish Padelkar
- Hazim Aslam
- Bram Gagliardi (securibee)