Questions & Answers

Last updated - November 16, 2021

  • Two highlights are making us be looking after alternatives from conventional penetration testing models:

       - We are global, meaning our vetted resources are located all over the world. Benefits wise means a quick turnaround in scheduling a pentest engagement and getting access to highly specialized resources, outstanding deliverable quality, and low price for the services provided.

       - We deliver the pentest experience through our Security Skills as a Service, a transparent, collaborative approach with the testing teams.

       - We have a highly selective acceptance policy compared with other similar services practicing an open gate policy, meaning clients have to pay hidden costs for testers' mistakes and their questionable experience before seeing benefit from the service.

       - A Pentest as a Service business is hard work and strong knowledge of the market, procedures, and above all, trust. We have what it takes to call us one of the best here, looking to cultivate trust first with our clients instead of chasing their money.

  • That is an absolute NO. Security Hubs promotes Security Skills as a Service backed up by a highly selective and closed managed security engineering talent network that provides offensive security testing under the penetration testing concept. We strive to go well beyond just flagging and detailing security issues.

  • Members of the Security Hubs network are seasoned security engineers, professional penetration testers, and security consultants with a proven track of their experience. All of them have five years minimum experience and OSCP certification. Overall, the pentesting service component is just a subset of the current overall offensive skills set.

  • A penetration test (also known as a pen test or a pentest) is an authorized cyberattack against a company's network.

    The test is conducted to check the security application for exploitable vulnerabilities that could access hackers and other cybercriminals. During the test, a cybersecurity professional runs controlled simulated attacks against the network's defenses.
    Penetration tests are always conducted under controlled conditions that simulate various scenarios used by a real attacker. Penetration tests go well beyond basic vulnerabilities.

    Penetration tests scan the network for any vulnerabilities—large or small—that could be used by a hacker to gain access to sensitive data such as financial information, personally identifiable information, company assets, customer/client data, information on business partners, and more.

    Our tests utilize disciplined and repeatable methodology, which results in a detailed report outlining security isues found and includes recommendations on how to remedy these issues to improve their environment's security. Security improvements make it more difficult for a malicious actor to gain access to the system.

  • The goal of a pentest is to evaluate all security measures' effectiveness on a network.

    The pentest results are aimed at documenting specific vulnerabilities and supplying recommendations on how to fix these issues. Penetration test results are geared to supply a deliverable report that includes:

       - Executive summary: which covers the basics of the testing and any issues that were found. The report should also include the next steps to fix any issues that were found during the pentest.

       - Summary of vulnerabilities: this is a list of the security issues found during the penetration test. Vulnerabilities may be grouped by category, severity, etc.

       - Test team details: this should include the name of each tester involved in the pentest.

       - List of tools used: this should include a list of each tool used and its function. The reason to include this list is to make sure the tests are accurate and repeatable if the assessments need to be done again.

       - A copy of the original scope of work: detailing what was performed, expectations, etc.
    The report's main body includes the details of all vulnerabilities that were detected and how each one might be exploited, including the likelihood of exploitation.

  • Penetration tests are essential for various reasons, including:

    Your industry may have regulations that require pentests are performed regularly.

       - Pentests can determine if changes in the environment have created vulnerabilities. Changes include upgrades and system reconfiguration.

       - Tests can be done during the QA process of software development, preventing security bugs from entering production systems.

       - Your customers may require pentesting if your company is involved in data storage. Testing can reassure customers that their data is secure and prove that their assets/services are managed securely.

       - Pentests are usually required for internal due diligence to verify the company's current security management of vulnerabilities and possible risks. Test results can also be integrated with an ongoing risk assessment and management process.

       - Pentests are a valuable tool to check potential acquisition targets have adequate security controls. The test results help the organization preparing for the acquisition to see what vulnerabilities they may be facing and then use the report to budget the costs involved in fixing these weaknesses.

       - During a breach investigation, pen tests can help assess whether or not the company is vulnerable to other security issues, creating a more comprehensive response to the breach.

       - Pentesting can also help a company be proactive and run an assessment to check for vulnerabilities that have just been discovered or not widely known/published.

       - Penetration testing is an optimal tool to use during the development of new web applications. At specific points during development, pentests can detect flaws. Also, testing can be run before the app is released to ensure all security issues have been found and corrected before users use it.

  • This is a highly disciplined process. The company running the tests should keep all stakeholders informed at each crucial stage of the process. And you can also expect the following from a penetration testing company:

       - The company to have a thorough, well-coordinated plan and be dedicated to keeping you informed at important stages throughout the testing process.

       - A reputable penetration company will have a disciplined, repeatable method they apply.

       - Their testing methods should be customized to fit your unique environment and business.

       - The testing company should offer a clearly defined:

                a. Initiation process

                b. Planning process

    And they must offer coordinated testing and work to ensure the tests are accurate while providing clear direction to fix any security issues found during the test.

    Q: What is the scope of the penetration test?

    The company will work with you to determine the scope of the testing. The tests must be customized to fit your unique environment and business. Several considerations help determine the scope of a penetration test:

       - The type and nature of the business, including types of products and services offered

       - Any regulatory compliance requirements and deadlines

       - Location/geographic considerations

       - Organizational structure

       - Company's strategic plans

       - Customer expectations, especially if the company stores customer data

       - Value of the organization's assets

       - Redundancy issues in the environment, which could impact testing

       - Network segmentation and connectivity

       - Age of various components of the network

       - Recent/planned changes to the environment

  • There are several common areas usually selected for testing, including external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are generally performed as part of a single comprehensive penetration test, but each one varies in the approach needed for the test.

    External network: focuses on the technology that externally faces the Internet. This may include the company website, external network servers, and more. The test begins by looking for potential targets. This can include responding networks, hosts, or services that could be used to gain entry to a secured network. Even if a web application is identified as vulnerable, the security consultant asks for permission to go deeper, checking for exposed services and their relationships. The goal is to check for vulnerabilities that can be used to gain entry to the internal network.

    Internal network: these are very similar to external pentests but oriented to the internal network attack vectors rather than the external. An internal pentest is done on the internal network, found behind the perimeter firewalls. The approach is similar to external penetration tests but is conducted remotely over a jump box. Onsite testing allows the pentester to target internal targets such as file servers, individual user workstations, domain controllers, internal application servers, databases, and other connected devices.

    Web / API / Mobile applications: these tests are more in-depth and review over 100 specific areas within each web / mobile application. Testing usually starts with information gathering and then goes on to test the following areas:

       - Configuration and deployment management

       - Identity management

       - Authentication

       - Authorization

       - Session management

       - Data validation

       - Error handling

       - Cryptography strength

       - Business logic

       - Client-side security

       - Reverse engineering

       - And other development language-specific tests as needed

    Testing offers a comprehensive look at the company's web / mobile applications, intending to identify and evaluate technical vulnerabilities. Testing is usually set up in advance and is authorized by the company. Any credentials/packages needed are provided to the security consultant to review perspectives as an unauthorized user and identify various risks that may affect the scoped application security.

    Remote social engineering: this type of test is conducted to assess employee security awareness and incident response. It's performed under controlled conditions and uses an intentionally crafted fake malicious website and email campaigns to target employees, or can even test phone contact and other customized attack scenarios. This test is most often conducted after security awareness training or education to check the training effectiveness.

    Remediation verification: is used to test vulnerabilities that were previously found and fixed. The test is used to confirm that corrective steps were implemented and are effective.

  • You'll want to ensure the penetration test provider meets these standards:

       - The team should include a dedicated project manager, skilled/experienced test team, resource coordinator(s), and a point of escalation.

       - The team should be comprised of individuals who have in-depth experience with multiple technologies, including:

            a. Client platforms

            b. Server infrastructures

            c. Web application development

            d. IP networking

       - Each member of the team should have valid certifications that are relevant to their roles:

            a. Offensive Certified Professional (OSCP)

            b. eLearnSecurity (eWPT | eWPTX)

            c. Any other Offensive Certification (OSWE | OSCE | OSEE) or equivalents.

    If the penetration test is conducted to be compliant to meet regulatory requirements, then the team will need additional experience and/or certifications to ensure the methods used are appropriate and the results are presented correctly. For instance, a pentest conducted to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 should be performed by a team with these certifications: PCI QSA and PCI PA-QSA. Some teams may also have additional technology certifications to demonstrate their knowledge and competence.

    Q: What documentation should I receive when the test is complete? How are the results documented?

    When the pentest is complete, you should receive a report that details the test findings, recommendations, and supporting evidence. Besides, the report should also include the scope and boundaries of the testing and when the test was conducted. The report should contain detailed technical information, along with a summary for those who are non-technical. Your report should include the following:

       - Detailed recommendations on how to remedy observed vulnerabilities

       - Information on how the vulnerabilities may impact the business

       - Specific instructions to fix vulnerabilities, including any instructional material that may be required

       - Support evidence and examples

       - Step-by-step and screen-by-screen walkthrough that shows exploits; this allows you to understand and reproduce each scenario

       - Executive and summary reports for those who are non-technical

       - A separate report prepared for third parties (such as customers) who would like proof the penetration test has been conducted

       - All deliverables should be high-quality and reviewed with you, which helps validate the test's accuracy and ensure you understand all recommendations

  • Validating that vulnerabilities have been fixed can be done using in-house testing or by using an external, independent company that performs verification testing. While some companies choose to go with in-house validation, most choose to use an external independent company's services for validation.

    This is why it's so important to have the penetration set up in a repeatable manner. And the company that performs the remediation validation testing should not be, as a best practice, the same company that performed the penetration test. Using the same tester is not as reliable as using an independent security consultant to check its work.

    Q: How do we prepare for a penetration test?

    There's no special preparation needed before a penetration test. The pentest will be done at a specific point in time. So, if you run regular patches on Wednesdays or Tuesdays, then just keep to the same schedule. You don't have to change this process to accommodate the pentest. Only adjust this process if it is implicated after the assessment if the test shows some issues that need to be addressed.

    However, when planning and coordinating the test, the testing company should include it in the process. They should have documentation that provides details on in-scope IP ranges, and you may need to prepare test environments and support test scenarios defined in the scope.

    Other than that, there's not much preparation needed before the pentest.

  • After reviewing the pentest report, you'll need to review each vulnerability using a risk-based model before making any firm decisions. Each vulnerability needs to be evaluated as to how it impacts your business and the probability of this vulnerability being exploited. Then you can assign a risk rating to the specific vulnerability.

    It's important to have risk criteria defined to determine if specific vulnerabilities need to be fixed or not.

    For those vulnerabilities within an acceptable threshold, you may decide to monitor them to see if their risk level changes over time. The pentest result report should help you with this process.

    When you're in a compliance situation, vulnerabilities may be seen as risks to security. In these cases, the risks need to be addressed, or you may choose to employ compensating controls when a fix is not possible.

    Q: How much does a penetration test usually cost?

    The cost of a penetration test is based on several factors, including:

       - The scope of the project

       - Size of the environment

       - Quantity of systems

       - Frequency of testing

    It is important to have a meeting to determine the testing scope and develop a Statement of Work before the test is conducted.

    In the best case, a pentest should be done on a fixed-fee basis, which helps you to avoid hidden or unexpected costs. The fee quoted should include all labor and required testing tools. You should avoid engaging a testing company that provides a statement of work that only gives you an estimate rather than a fixed cost.

    However, at Security Hubs, we are taking a different cost approach, making us probably one of the most affordable pentesting companies at this point.

  • You'll need to ensure that enough time is reserved ahead of the test, which can be used for planning test activities. It's also helpful to add more time after the test is done, so the testing company has time to write up the report and for meetings and remediation discussions.

    Generally, the larger or more complex the environment is, the more effort will be needed for the test.

    Test duration, however, is controllable. In all instances, the test duration should be compressed to give the best results and view of the environment at a given point in time.

    As a barebone rule, a penetration test may take anywhere from one to four weeks. This includes the test itself, which can take one to two weeks.

    Q: What is the difference between "ethical hacking" and other types of hackers and pentesting?

    Ethical hackers are those who work legitimately to test your company's network. "Black Box testing" is a covert, unassisted test, while "white box testing" is assisted but non-covert testing. These are not strict designations but do know there are shades of gray between these various categories.

    You should not put much store by these terms because they're generally used as marketing ploys. These designations should not be used to determine whether a team is qualified or not to conduct penetration tests. Instead, look for a company that has credentials for each team member on the project. They should also include information on each team member's experience, peer references (from those who have worked with them in the past), and that their approach/methodology is accepted in the industry. This is what you should look for when choosing a company for your penetration testing.

  • Scoping a test is a structured process where you submit information about the target (including platform specifications, objectives, and instructions). We then use this information to create a team of pentesters who have the right skills to test your environment.

    Q: Does your company do security testing for mobile apps?

    Yes, as we said previously, we can cover all mobile platforms; however, we most often test iOS and Android apps. The tests are done using the latest frameworks and techniques, including reverse engineering and other custom tooling.

    Q: Do you do security testing for APIs?

    Yes, we understand that SaaS businesses have a heavy reliance on web APIs. As a result, we provide specialized great API pentests. We're able to test web apps, mobile apps, and external networks, making us a great fit for most online businesses.

    Q: Do you perform security testing for networks?

    Yes, we can conduct external networking testing. We usually do this for PCI testing or similar cases.

  • Yes, we can conduct external networking testing. We usually do this for PCI testing or similar cases.

    Q: What kinds of vulnerabilities do pentesters usually find?

    Our pentesters find vulnerabilities of all types. However, they most often report vulnerabilities in a company's business logic, SSRF, Cross-Site Scripting, and other vulnerabilities that come into the OWASP Top 10 categories.

  • Yes, you'll have the opportunity to communicate directly with the test team. You can ensure they have the necessary knowledge to perform a high-quality test for those scenarios you're concerned about.

    Q: Can I share my credentials (usernames + passwords) with the pentesters for authenticated testing?

    Yes. In fact, most of the pentests we perform are on authenticated parts of a service, and we provide a secure way to share user credentials through the platform.

    Q: I don't want tests to be run in my production environment. How can I avoid this?

    Keep in mind that testing of production is recommended. Testing does not usually have a negative impact on systems. However, to avoid testing a production environment, it's best to set up a staging environment that includes sample data for security testing.

  • During the test, pentesters may use automatic tools that check for different vectors to make sure you're being protected across various areas. The traffic and requests should be similar to normal traffic and requests your site typically experiences from regular site visits by a few users. The peak may reach 100Mbps (0.1Gbps) when running short, intense scans. However, most of the testing relies on manual techniques, which typically use an order of magnitude less.

    Q: I want to specify off-peak times for penetration testing, so my production environment does not go down when my users are most active. How can I do this?

    The testing, in general, will not harm or interfere with your systems. However, if you'd like to establish specific times for the pentesters, you can include this information in the program description. In this way, you can specify when pentesters can be active in your production environment to run tests.

  • The larger cloud providers (AWS, Azure, GCP) don't require prior notification of normal penetration testing. However, if you use a small provider, be sure to check with them, and we can supply the information they may need.

    Q: Can anyone become a pentester with your company?

    Please check the Open positions section to understand our hiring process.

    Q: How are pentesters rated?

    Pentesters earn feedback on their performance and knowledge from companies they've worked with in the past and from peers when working together on a security project. The feedback contributes to a pentester's overall quality score and vulnerability report ratings. This information is used to rate a pentester's performance on our platform. A hall of Fame will be available to the clients soon.

  • The Pentester's Score is the pentester's overall performance on our platform. Values are determined on a variable scale, and we are using AD&D rules to scale it. Our people have a score, rank, and various badges that prove their skills and demand overall activity.

    Q: What type of deliverables can I expect from your penetration tests?

    You can expect both individual finding reports, including detailed information about each vulnerability. You'll also receive a full summary report, which describes the test and the findings at an executive level, which is the perfect report to share with stakeholders.

    Q: Can I use your pentest reports for my sales process?

    Yes, you can use our pentest reports to show your customers that you take security seriously. Our reports come in different detail levels, for instance, an attestation-style report to a full report with all finding details. So, you can decide exactly how much information to share with your customers.

  • Yes, we're an agile company ready to help you with your urgent needs work. You can schedule a demo today, and we can get your testing started as soon as possible.

    Q: Can I just get a simple report from your pentest?

    In theory, yes, just get in touch, and we'll provide you with a sample report as a result of a quick discussion.

  • Our report quality is ensured by the QA team of Senior Penetration Tester / Senior Security Engineer with 10+ years of experience in the area, responsible for ensuring each finding and the entire report meets our high-quality expectations. Our Leads are highly experienced; in fact, the average professional experience of our Pentest Leads is about 11 years. Also, each member of the team is rated based on their report submissions. This provides accountability and transparency for our company to deliver consistent, strong results every time. Quality reports you can count on.

    Q: If I don't completely understand a vulnerability report submitted by a pentester, can I communicate with the pentester directly?

    Yes, in fact, we encourage this, as communication is essential. You can write comments and questions directly to the pentesters and ask them to clarify a specific report. It's also possible to write internal comments to your team to increase collaboration.

    We also understand that pentest findings may not always be fixed right away. For this reason, we allow you to have direct communication with the pentesters for months after the pentest has been completed.

  • Only team members who have been invited, along with the pentesters, are allowed to see the list of vulnerabilities reported. Our customer service and SecOps members will be able also to review vulnerabilities to support the pentest. All access is visible and controllable within each pentest program's settings.

    Q: Can a pentester publicly disclose vulnerabilities found on my site?

    They can only do so with your permission. If a pentester wants to share this information publicly (either anonymously or not) to benefit the community, they need to request your permission and act according to your response.

  • All of our employees are required to use strong, unique passwords and use 2-factor authentication with Google Authenticator, Authy, or BitWarden where possible. Besides, our employees use password managers, screen-locking, and encrypt local hard drives to protect data. More information about our internal security practices can be found under the Security Policy section.

  • At Security Hubs, we believe that penetration testing can be simultaneously more straightforward and uncomplicated than what it is right now. Dedicated to our clients' security, we offer Security Skills as a Service model, drawing on our combined years of experience to develop and deploy penetration testing methodologies that work. Our vision is singular: we want to keep you and your business safe so that you never need to worry about your security, confident that your systems are in good hands.

  • At Security Hubs, we strive to achieve simplicity, and that's why we have a checklist. In a nutshell:

       - You get in touch with us

       - We scope and send you the Statement-of-Work(SoW)

       - You double-check, sign, and accept the terms

       - We deploy the team and open a real-time communication channel

       - At the end of the engagement, you are getting the report

       - We will follow up with you

    We maintain a track record of quality for all our projects. As a quality-driven and performance company, we are focused on ALL our clients. "We say what we do, and do what we say" is the principle that pervades through every engagement and every delivered project. Every completed engagement allows us to analyze and assess our people's technical approach, execute project phases, and improve various execution sequences.

  • Security Hubs members are well known to have great experience and flexibility executing penetration tests of Web applications backed or not by APIs, mobile apps(iOS / Android), network infrastructure, and cloud premises. In the situation when you do have something more exotic that would need to be assessed, do not worry send us an email or let's have a chat, and we are happy to see if we can help.

  • Yes, we can. We are meeting the pentest requirements for most of the current compliance needs, as SOC-2, PCI-DSS(11.2 | 11.3), etc. Send us an email to get more info on this matter.

       - PCI DSS requirement 11.2 - internal and external vulnerability scanning (quarterly)

       - PCI DSS requirement 11.3 - external and internal penetration testing (annually and after any significant infrastructure or application upgrade or modification)

  • Yes, we can. We are meeting the pentest requirements for most of the current compliance needs, as SOC-2, PCI-DSS(11.2 | 11.3), etc. Send us an email to get more info on this matter.

       - PCI DSS requirement 11.2 - internal and external vulnerability scanning (quarterly)

       - PCI DSS requirement 11.3 - external and internal penetration testing (annually and after any significant infrastructure or application upgrade or modification)

  • Yes. We understand that the GDPR coming into effect in 2018 represented a big change in Data Protection Law. Failing to comply with the GDPR could lead to a €20 Million or 4% of your annual gross revenue fine. We can help you comply with the GDPR Article 32(1) policy instructs a business to execute regular Penetration Testing / Security Assessment against its infrastructure and web applications. Ultimately, let's have a chat and understand your current challenges in this space and how we can help.

  • If the pentest is not planned properly and the service vendor does not have enough professional experience to understand the client's business context, it can be disruptive. This is why a Security Hubs testing team consists only of high-end certified professionals with years of experience testing complex environments. Before commencing any testing, they are rechecking program details for inconsistencies.

Privacy Policy

Last updated - May 18, 2021

  • Privacy Policy

  • This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

    We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

    INTERPRETATIONS AND DEFINITIONS

    Interpretations

    The words of which the initial letter is capitalized have meanings defined under the following conditions.

    Definitions

    For the purposes of this Privacy Policy:

       -   You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

       -   Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Security Hubs Inc, 2093 Philadelphia Pike #4494, Claymont. For the purpose of the GDPR, the Company is the Data Controller.

       -   Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

       -   Account means a unique account created for You to access our Service or parts of our Service.

       -   Website refers to Security Hubs, accessible from https://securityhubs.io

       -   Service refers to the Website.

       -   Country refers to: Delaware, United States

       -   Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.

    For the purpose of the GDPR, Service Providers are considered Data Processors.

       -   Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.

       -   Personal Data is any information that relates to an identified or identifiable individual.For the purposes for GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. For the purposes of the CCPA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You.

       -   Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.

       -   Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.

       -   Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

       -   Data Controller , for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

       -   Do Not Track (DNT) is a concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.

       -   Business, for the purpose of the CCPA (California Consumer Privacy Act), refers to the Company as the legal entity that collects Consumers' personal information and determines the purposes and means of the processing of Consumers' personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California.

       -   Consumer, for the purpose of the CCPA (California Consumer Privacy Act), means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.

       -   Sale, for the purpose of the CCPA (California Consumer Privacy Act), means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal information to another business or a third party for monetary or other valuable consideration.

    COLLECTING AND USING YOUR PERSONAL DATA

    Types of Data Collected - Personal Data

    While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

       -   Email address

       -   First name and last name

       -   Phone number

       -   Address, State, Province, ZIP/Postal code, City

       -   Bank account information in order to pay for products and/or services within the Service

       -   Usage Data

    When You pay for a product and/or a service via bank transfer, We may ask You to provide information to facilitate this transaction and to verify Your identity. Such information may include, without limitation:

       -   Date of birth

       -   Passport or National ID card

       -   Bank card statement

       -   Other information linking You to an address

    Types of Data Collected - Usage Data

    Usage Data is collected automatically when using the Service. Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

    When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

    We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

    Tracking Technologies and Cookies

    We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.

    Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser. Learn more about cookies in the "What Are Cookies" article.

    We use both session and persistent Cookies for the purposes set out below:

       -  Necessary / Essential Cookies
          Type: Session Cookies
          Administered by: Us

    Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

       -  Cookies Policy / Notice Acceptance Cookies
          Type: Persistent Cookies
          Administered by: Us

    Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

       -  Functionality Cookies
          Type: Persistent Cookies
          Administered by: Us

    Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

       -  Tracking and Performance Cookies
          Type: Persistent Cookies
          Administered by: Third-Parties

    Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.

       -  Targeting and Advertising Cookies
          Type: Persistent Cookies
          Administered by: Third-Parties

    Purpose: These Cookies track your browsing habits to enable Us to show advertising which is more likely to be of interest to You. These Cookies use information about your browsing history to group You with other users who have similar interests. Based on that information, and with Our permission, third party advertisers can place Cookies to enable them to show adverts which We think will be relevant to your interests while You are on third party websites.

    USE OF YOUR PERSOPNAL DATA

    The Company may use Personal Data for the following purposes:

       -   To provide and maintain our Service , including to monitor the usage of our Service.

       -   To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.

       -   For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.

       -   To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.

       -   To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.

       -   To manage Your requests: To attend and manage Your requests to Us. We may share your personal information in the following situations:

       -   For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.

       -   With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.

       -   With Business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.

    RETENTION OF YOUR PERSONAL DATA

    The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

    The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

    TRANSFER OF YOUR PERSONAL DATA

    Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

    Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

    The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

    DISCLOSURE OF YOUR PERSONAL DATA

    Business Transactions

    If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

    Law enforcement

    Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

    Other legal requirements

    The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

       -   Comply with a legal obligation

       -   Protect and defend the rights or property of the Company

       -   Prevent or investigate possible wrongdoing in connection with the Service

       -   Protect the personal safety of Users of the Service or the public

       -   Protect against legal liability

    Security of Your Personal Data

    The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

    DETAILED INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA

    Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.

    Analytics

    We may use third-party Service providers to monitor and analyze the use of our Service.

    Google Analytics - Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

    Microsoft Clarity - Microsoft Clarity is a user behavior analytics tool that helps you understand how users are interacting with your website through session replays and heatmaps.

    You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add- on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

    For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

    Advertising

    We may use Service providers to show advertisements to You to help support and maintain Our Service.

       -   Google AdSense & DoubleClick Cookie & Tag Manager

    Google, as a third party vendor, uses cookies to serve ads on our Service. Google's use of the DoubleClick cookie enables it and its partners to serve ads to our users based on their visit to our Service or other websites on the Internet. You may opt out of the use of the DoubleClick Cookie for interest-based advertising by visiting the Google Ads Settings web page: https://www.google.com/ads/preferences/

       -   AdMob by Google

    AdMob by Google is provided by Google Inc. You can opt-out from the AdMob by Google service by following the instructions described by Google: https://support.google.com/ads/answer/2662922?hl=en

    For more information on how Google uses the collected information, please visit the "How Google uses data when you use our partners' sites or app" page: https://policies.google.com/technologies/partner-sites or visit the Privacy Policy of Google: https://policies.google.com/privacy

       -   Bing Ads

    Bing Ads is an advertising service provided by Microsoft Inc.

    You can opt-out from Bing Ads by following the instructions on Bing Ads Opt-out page: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

    For more information about Bing Ads, please visit their Privacy Policy: https://privacy.microsoft.com/en-us/PrivacyStatement

    EMAIL MARKETING

    We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us. We may use Email Marketing Service Providers to manage and send emails to You.

       -   Mailchimp

    Mailchimp is an email marketing sending service provided by The Rocket Science Group LLC. For more information on the privacy practices of Mailchimp, please visit their Privacy policy: https://mailchimp.com/legal/privacy/

    BEHAVIORAL REMARKETING

    The Company uses remarketing services to advertise on third party websites to You after You visited our Service. We and Our third-party vendors use cookies to inform, optimize and serve ads based on Your past visits to our Service.

       -   Google Ads (AdWords)

    Google Ads (AdWords) remarketing service is provided by Google Inc. You can opt-out of Google Analytics for Display Advertising and customise the Google Display Network ads by visiting the Google Ads Settings page: https://www.google.com/settings/ads

    Google also recommends installing the Google Analytics Opt-out Browser Add-on - https://tools.google.com/dlpage/gaoptout - for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.

    For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

       -   Bing Ads Remarketing Bing Ads remarketing service is provided by Microsoft Inc. You can opt-out of Bing Ads interest-based ads by following their instructions: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

    You can learn more about the privacy practices and policies of Microsoft by visiting their Privacy Policy page: https://privacy.microsoft.com/en-us/PrivacyStatement

       -   Twitter Twitter remarketing service is provided by Twitter Inc. You can opt-out from Twitter's interest-based ads by following their instructions: https://support.twitter.com/articles/20170405

    You can learn more about the privacy practices and policies of Twitter by visiting their Privacy Policy page: https://twitter.com/privacy

    PAYMENTS

    We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).

    We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

       -   Stripe - Their Privacy Policy can be viewed at https://stripe.com/us/privacy

    When You use Our Service to pay a product and/or service via bank transfer, We may ask You to provide information to facilitate this transaction and to verify Your identity. Usage, Performance and Miscellaneous We may use third-party Service Providers to provide better improvement of our Service.

       -   Invisible / Visible reCAPTCHA - We may use an captcha service named reCAPTCHA. reCAPTCHA is operated by Google.

    The reCAPTCHA service may collect information from You and from Your Device for security purposes.

    The information gathered by reCAPTCHA is held in accordance with the Privacy Policy of Google: https://www.google.com/intl/en/policies/privacy/

    GDPR PRIVACY

    Legal Basis for Processing Personal Data under GDPR

    This section applies solely to individuals in the EU (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway and, where applicable, Switzerland). Our Privacy Policy describes why and how Security Hubs collects, uses and stores your Personal Data, the lawful basis on which your Personal Data is processed, and what your rights and our obligations are in relation to such processing (please see “Your Rights” section below).

    Data Controller Security Hubs is the data controller for processing your Personal Data. The data controller is responsible for deciding how Personal Data about you is used. Please see the Contact section below to find out how to contact us.

    We may process Personal Data under the following conditions:

       -   Consent: You have given Your consent for processing Personal Data for one or more specific purposes.

       -   Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.

       -   ILegal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.

       -   Vital interests: Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.

       -   Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.

       -   Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.

    In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

    Data Transfers Security Hubs is based in the United States. When you apply as a Skills Provider or use our services as a Client, or otherwise use our Site, your Personal Data may be transmitted to servers in the United States as necessary to provide you with the services that you requested, administer our contract with you or to respond to your requests as described in this Privacy Policy, and the data may be transmitted to our service providers supporting our business operations (described above). The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. Where we transfer your Personal Data out of the European Economic Area (EEA) we will take steps to ensure that your Personal Data receives an adequate level of protection where it is processed and your rights continue to be protected.

    Data Retention Our policy is to keep your Personal Data only for as long as is reasonably necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies. To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case it is no longer Personal Data.

    YOUR RIGHTS UNDER GDPR

    The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.   -    You have the right under this Privacy Policy, and by law if You are within the EU, to:

       -   Request access to Your Personal Data. The right to access, update or delete the information We have on You. Whenever made possible, you can access, update or request deletion of Your Personal Data directly within Your account settings section. If you are unable to perform these actions yourself, please contact Us to assist You. This also enables You to receive a copy of the Personal Data We hold about You.

       -   Request correction of the Personal Data that We hold about You. You have the right to to have any incomplete or inaccurate information We hold about You corrected.

       -   Object to processing of Your Personal Data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.

       -   Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.

       -   Request the transfer of Your Personal Data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.

       -   Withdraw Your consent. You have the right to withdraw Your consent on using your Personal Data. If You withdraw Your consent, We will not be able to provide You with access to our Service.

    EXERCISING OF YOUR GDPR DATA PROTECTION RIGHTS

    You may exercise Your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.

    You have the right to complain to a Data Protection Authority about Our collection and use of Your Personal Data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.

    CCPA PRIVACY

    Your Rights under the CCPA

    Under this Privacy Policy, and by law if You are a resident of California, You have the following rights:

       -   The right to notice. You must be properly notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.

       -   The right to access / the right to request. The CCPA permits You to request and obtain from the Company information regarding the disclosure of Your Personal Data that has been collected in the past 12 months by the Company or its subsidiaries to a third-party for the third party's direct marketing purposes.

       -   The right to say no to the sale of Personal Data. You also have the right to ask the Company not to sell Your Personal Data to third parties. You can submit such a request by visiting our "Do Not Sell My Personal Information" section or web page.

       -   The right to know about Your Personal Data. You have the right to request and obtain from the Company information regarding the disclosure of the following:

        *    The categories of Personal Data collected

        *    he sources from which the Personal Data was collected

        *    The business or commercial purpose for collecting or selling the Personal Data

        *    Categories of third parties with whom We share Personal Data

        *    The specific pieces of Personal Data we collected about You

       -   The right to delete Personal Data. You also have the right to request the deletion of Your Personal Data that have been collected in the past 12 months.

       -   The right not to be discriminated against. You have the right not to be discriminated against for exercising any of Your Consumer's rights, including by:

       -   Denying goods or services to You

       -   Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties

       -   Providing a different level or quality of goods or services to You

       -   Suggesting that You will receive a different price or rate for goods or services or a different level or quality of goods or services.

    EXERCISING YOUR CCPA DATA PROTECTION RIGHTS

    In order to exercise any of Your rights under the CCPA, and if you are a California resident, You can email or call us or visit our "Do Not Sell My Personal Information" section or web page.

    The Company will disclose and deliver the required information free of charge within 45 days of receiving Your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonable necessary and with prior notice.

    DO NOT SELL MY PERSONAL INFORMATION

    We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology on the Service that "sells" personal information as defined by the CCPA law.

    If you wish to opt out of the use of your personal information for interest - based advertising purposes and these potential sales as defined under CCPA law, you may do so by following the instructions below.

    Please note that any opt out is specific to the browser You use. You may need to opt out on every browser that you use.

    Website

    You can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions presented on the Service:

       -   From Our "Cookie Consent" notice banner

    The opt out will place a cookie on Your computer that is unique to the browser You use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.

    Mobile Devices

    Your mobile device may give you the ability to opt out of the use of information about the apps you use in order to serve you ads that are targeted to your interests:

       -   "Opt out of Interest-Based Ads" or "Opt out of Ads Personalization" on Android devices

       -   "Limit Ad Tracking" on iOS devices You can also stop the collection of location information from Your mobile device by changing the preferences on your mobile device.

    Do Not Track" Policy as Required by California Online Privacy Protection Act (CalOPPA)

    Our Service does not respond to Do Not Track signals. However, some third party websites do keep track of Your browsing activities. If You are visiting such websites, You can set Your preferences in Your web browser to inform websites that You do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of Your web browser.

    CHILDREN PRIVACY

    Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.

    Your California Privacy Rights (California's Shine the Light law)

    Under California Civil Code Section 1798 (California's Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties' direct marketing purposes.

    If you'd like to request more information under the California Shine the Light law, You can contact Us using the contact information provided below.

    California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)

    California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted.

    To request removal of such data, and if you are a California resident, You can contact Us using the contact information provided below, and include the email address associated with Your account. Be aware that Your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

    Links to Other Websites

    Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

    We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.



    CHANGES TO THIS PRIVACY POLICY

    We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

    We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

    You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

    Links to Other Websites

    If you have any questions about this Privacy Policy, You can contact us:

       -   By email: [email protected]

       -   By visiting this page on our website: https://securityhubs.io/contact/

       -   By phone number: +1 302-330-2121

       -   By mail: 2093 Philadelphia Pike #4494, Claymont, 19703, Delaware, United States

Security

Last updated - November 15, 2020

  • Security Policy

  • At Security Hubs, security is our top priority. We do have implemented and had a continuous process to check and improve current security measures to ensure that the data of our customers and consultants are secure and safe. Here are some of the security measures we took and constantly improved to protect and defend the Security Hubs's infrastructure.

    ENCRYPTING DATA IN TRANZIT

    All HTTP traffic to Security Hubs runs over an SSL-encrypted connection, and we only accept traffic on port 443. We are using the Strict Transport Security Header (HSTS) with the preload option, guaranteeing that requests are never made over a non-encrypted connection.

    Hosting and Database Storage

    Security Hubs is hosted via Google Cloud, AWS and Netlify and managed within Google / AWS / Netlify data centers that leverage the security of those cloud providers.

    ENCRYPTING DATA AT REST, DATABASE

    Security Hubs’ all data is at rest and associated keys are encrypted using the industry-standard AES-256 algorithm. Only once an authorized user is granted access to his data will that subset of data be decrypted. For further details around the encryption at rest, please see Encryption at Rest in Google / AWS Cloud Platform.

    ENCRYPTING DATA AT REST, DATABASE

    Static files, such as images and other documents, are persisted using Google / Digital Ocean / Netlify storage. All static files are encrypted before they’re stored, so while at rest, they are encrypted. GCP / AWS Security Practices Cloud Platform and Google / AWS infrastructure are certified for a growing number of compliance standards and controls and undergoes several independent third-party audits to test for data safety, privacy, and security. Read more about the specific certifications on the AWS / GCP compliance page. More information about GCP security can be found at AWS / Google Security Overview.

    Security Hubs uses various services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.

    ORGANIZATION

    We require all employees to use strong, unique passwords for Security Hubs accounts, and to set up two-factor authentication with each device and service where available. All Security Hubs employees are required to use recognized password managers to generate and store strong passwords, and are also required to encrypt local hard drives and enable screen locking for device security. All-access to application admin functionalities is restricted to a subset of Security Hubs staff and restricted by IP and other security measures.

    MONITORING AND NOTIFICATIONS

    Security Hubs uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.

    VULNERABILITY DISCLOSURE

    If you found a vulnerability in our infrastructure that consider we should pay attention to, we encourage you to send us a detailed email with a comprehensive technical description, reproduction steps, and a meaningful PoC at security[at]securityhubs.io
    If the finding is confirmed, the finding likelihood/impact will be quantified and bounty'ed on accordingly.

    EMERGENCY

    In the event of an unlikely security breach, we have procedures to respond to such an event, as including restricting access to the web application, wide password reset action, etc.

Disclaimer

Last updated - June 30, 2020

  • Disclaimer Policy

  • If you require any more information or have any questions about our site's disclaimer, please feel free to contact us by email at [email protected]

    All the information on this website - https://securityhubs.io - is published in good faith and for general information purpose only. Security Hubs does not make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this website (https://securityhubs.io), is strictly at your own risk. Security Hubs will not be liable for any losses and/or damages in connection with the use of our website.

    From our website, you may be able to visit other websites by following hyperlinks to such external sites. While we strive to provide only quality links to useful and ethical websites, we have no control over the content and nature of these sites. These links to other websites do not imply a recommendation for all the content found on these sites. Site owners and content may change without notice and may occur before we have the opportunity to remove a link which may have gone 'bad'.

    Please be also aware that when you leave our website, other sites may have different privacy policies and terms which are beyond our control. Please be sure to check the Privacy Policies of these sites as well as their "Terms of Service" before engaging in any business or uploading any information.

    CONSENT

    By using our website, you hereby consent to our disclaimer and agree to its terms.

    UPDATE

    If we will update, amend or make any changes to this document, those changes will be prominently posted here.

Terms and Conditions

Last updated - May 18, 2021

  • Terms and Conditions Policy

  • Welcome to Security Hubs!

    These terms and conditions outline the rules and regulations for the use of Security Hubs 's Website, located at https://securityhubs.io.

    By accessing this website we assume you accept these terms and conditions. Do not continue to use Security Hubs if you do not agree to take all of the terms and conditions stated on this page.

    The following terminology applies to these Terms and Conditions, Privacy Statement and Disclaimer Notice and all Agreements: "Client", "You" and "Your" refers to you, the person log on this website and compliant to the Company’s terms and conditions. "The Company", "Ourselves", "We", "Our" and "Us", refers to our Company. "Party", "Parties", or "Us", refers to both the Client and ourselves. All terms refer to the offer, acceptance and consideration of payment necessary to undertake the process of our assistance to the Client in the most appropriate manner for the express purpose of meeting the Client’s needs in respect of provision of the Company’s stated services, in accordance with and subject to, prevailing law of Netherlands. Any use of the above terminology or other words in the singular, plural, capitalization and/or he/she or they, are taken as interchangeable and therefore as referring to same.

    Cookies

    We employ the use of cookies. By accessing Security Hubs , you agreed to use cookies in agreement with the Security Hubs 's Privacy Policy.

    Most interactive websites use cookies to let us retrieve the user’s details for each visit. Cookies are used by our website to enable the functionality of certain areas to make it easier for people visiting our website. Some of our affiliate/advertising partners may also use cookies.

    License

    Unless otherwise stated, Security Hubs and/or its licensors own the intellectual property rights for all material on Security Hubs. All intellectual property rights are reserved. You may access this from Security Hubs for your own personal use subjected to restrictions set in these terms and conditions.

    YOU MUST NOT

       -   Republish material from Security Hubs Sell,

       -   rent or sub-license material from Security Hubs Reproduce, duplicate or

       -   copy material from Security Hubs Redistribute content from Security Hubs. This Agreement shall begin on the date hereof.

    HYPERLINKING TO OUR CONTENT

    The following organizations may link to our Website without prior written approval:

       -   Government agencies;

       -   Search engines;

       -   News organizations;

       -   Online directory distributors may link to our Website in the same manner as they hyperlink to the Websites of other listed businesses; and

       -   System wide Accredited Businesses except soliciting non-profit organizations, charity shopping malls, and charity fundraising groups which may not hyperlink to our Web site.

    These organizations may link to our home page, to publications or to other Website information so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement or approval of the linking party and its products and/or services; and (c) fits within the context of the linking party’s site.

    These organizations may link to our home page so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement or approval of the linking party and its products or services; and (c) fits within the context of the linking party’s site.

    If you are one of the organizations listed in paragraph 2 above and are interested in linking to our website, you must inform us by sending an e-mail to Security Hubs . Please include your name, your organization name, contact information as well as the URL of your site, a list of any URLs from which you intend to link to our Website, and a list of the URLs on our site to which you would like to link. Wait 2-3 weeks for a response.

    Approved organizations may hyperlink to our Website as follows:

       -   By use of our corporate name; or

       -   By use of the uniform resource locator being linked to; or

       -   By use of any other description of our Website being linked to that makes sense within the context and format of content on the linking party’s site.

       -   No use of Security Hubs 's logo or other artwork will be allowed for linking absent a trademark license agreement.

    iFrames

    Without prior approval and written permission, you may not create frames around our Webpages that alter in any way the visual presentation or appearance of our Website.

    Content Liability

    We shall not be hold responsible for any content that appears on your Website. You agree to protect and defend us against all claims that is rising on your Website. No link(s) should appear on any Website that may be interpreted as libelous, obscene or criminal, or which infringes, otherwise violates, or advocates the infringement or other violation of, any third party rights.

    Reservation of Rights

    We reserve the right to request that you remove all links or any particular link to our Website. You approve to immediately remove all links to our Website upon request. We also reserve the right to amen these terms and conditions and it’s linking policy at any time. By continuously linking to our Website, you agree to be bound to and follow these linking terms and conditions.

    Removal of links from our website

    If you find any link on our Website that is offensive for any reason, you are free to contact and inform us any moment. We will consider requests to remove links but we are not obligated to or so or to respond to you directly.

    We do not ensure that the information on this website is correct, we do not warrant its completeness or accuracy; nor do we promise to ensure that the website remains available or that the material on the website is kept up to date.

    Disclaimer

    To the maximum extent permitted by applicable law, we exclude all representations, warranties and conditions relating to our website and the use of this website. Nothing in this disclaimer will:

       -   limit or exclude our or your liability for death or personal injury;

       -   limit or exclude our or your liability for fraud or fraudulent misrepresentation;

       -   limit any of our or your liabilities in any way that is not permitted under applicable law; or exclude any of our or your liabilities that may not be excluded under applicable law.

    The limitations and prohibitions of liability set in this Section and elsewhere in this disclaimer: (a) are subject to the preceding paragraph; and (b) govern all liabilities arising under the disclaimer, including liabilities arising in contract, in tort and for breach of statutory duty.

    As long as the website and the information and services on the website are provided free of charge, we will not be liable for any loss or damage of any nature.

Location and Address

Last updated - February 12, 2021

  • Location Details

  • Through our United States company, we serve our clients globally from Auckland HQ, New Zealand.

    You can send your mailings to:

  • Security Hubs, United States

    2093 Philadelphia Pike, #4494, Claymont, 19703, Delaware, United States

    Ph: (302) 330-2121


  • Security Hubs, New Zealand

    BK's Four Square, #89215, 0630 Auckland, New Zealand

    Ph: (+64) 955-37456


  • Looking to use secure channels?

    Consider using SendSafely.