← Back to firstcall

Security

Last updated: June 8, 2026

Reporting a Vulnerability

If you believe you have found a security vulnerability in FirstCall, please email hi@firstcall.dev with the subject line beginning [SECURITY]. Include:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce, including any test accounts or payloads
• The affected component (e.g., specific URL, API endpoint, or product surface)
• Your name and contact details (optional — anonymous reports are also accepted)

Response SLA

We will acknowledge your report within two business days (Monday – Friday, Indian Standard Time). We will provide a substantive status update — including remediation timeline or a request for additional information — within 30 days of the initial acknowledgment.

Scope

The following are in scope for vulnerability disclosure:

• The FirstCall API (api.firstcall.dev) — authentication, authorization, input validation, data exposure
• The FirstCall admin dashboard (app.firstcall.dev) — including OAuth flows and session handling
• The FirstCall marketing site (firstcall.dev)
• The FirstCall Zoom Meeting SDK integration — including JWT signing, bot session isolation, and meeting-data handling
• The FirstCall WebSocket and webhook authentication mechanisms (signature verification, replay protection)

Out of Scope

The following are NOT in scope for this program:

• Denial-of-service or rate-limit-bypass research that may degrade service for other users
• Social engineering of FirstCall employees, customers, or contractors
• Physical security testing
• Vulnerabilities in third-party services we depend on (AWS, LemonSqueezy, Zoom, NextAuth, etc.) — please report those directly to the respective vendor
• Recently disclosed CVEs in dependencies that we have not yet had the opportunity to patch in normal release cadence
• Reports based solely on automated scanner output without a demonstrated exploit
• Missing security headers or best-practice configurations that do not constitute an exploitable vulnerability

Safe Harbor

FirstCall will not pursue legal action against security researchers who:

• Make a good-faith effort to comply with this policy
• Avoid privacy violations, data destruction, or service degradation
• Provide us a reasonable opportunity to remediate before disclosure
• Do not exploit a vulnerability beyond what is necessary to demonstrate it

If your research falls within these guidelines, we treat it as authorized testing and waive any legal claims arising from the activity. If in doubt about whether a specific activity is covered, email us before proceeding.

Recognition

We may, at our discretion and with your permission, publicly credit researchers who report valid vulnerabilities. We do not currently operate a paid bug bounty program.