Report a Security Issue

If you believe you've found a vulnerability in Hoycall, please send us an email. We take security seriously and aim to acknowledge every report within 5 business days.

Email us — security@hoycall.com

Responsible Disclosure

We take security seriously and appreciate your help in keeping Hoycall safe.

What to Report

  • Authentication or authorization vulnerabilities
  • Data exposure or privacy issues
  • Cross-site scripting (XSS) or injection flaws
  • Business logic vulnerabilities
  • Any other security concerns

Our Process

  • We'll acknowledge your report within 5 business days
  • We'll investigate and keep you updated on progress
  • We'll work with you to understand and resolve the issue
  • We'll credit you (if desired) once the issue is fixed

Guidelines

  • Do not access or modify data that isn't yours
  • Do not perform actions that could harm our users or services
  • Give us reasonable time to fix issues before disclosure

Scope

In scope

  • hoycall.co.uk and its country variants (.com, .br.com, .no)
  • app.hoycall.com
  • api.hoycall.com

Out of scope

  • Any domain or service not listed above.
  • Third-party services we use but do not operate.
  • Findings from automated scanners with no demonstrated, realistic impact.
  • Denial of service, volumetric, or load-testing attacks.
  • Social engineering of our staff, partners, or users, and physical attacks.
  • Anything requiring access to another person's account or data.

Safe Harbor

If you make a good-faith effort to follow this policy during your research, we will consider that research authorised. We will not pursue or support legal action against you for accidental, good-faith violations of this policy, and we will work with you to resolve the issue quickly. Keep any proof of concept to the minimum needed to demonstrate the issue, and if you encounter personal data belonging to others, stop and report it rather than accessing, copying, or sharing it. This authorisation does not extend to actions beyond this policy and does not bind any third party.

See the researchers we have credited on our Security Acknowledgments page.