Disclosing Security Vulnerabilities to Answering Service Vendors

by Justin Massey

July 18, 2023


How do you know if your telephone answering service software (TAS) is secure? Your TAS business may not be able to afford a full-time cybersecurity expert to evaluate whether or not your answering service software is vulnerable to attack. Until now, most answering services have taken their vendors’ word on whether they are secure. Trusting your vendors to develop secure code is important, but we should verify what they have implemented is truly secure. Enter Relay Hawk.

Relay Hawk’s mission is to secure all answering services, and one necessary facet to achieve this mission is to conduct security research on TAS software. We relay any findings we identify to the vendors and answering services to improve the security of your software.

Relay Hawk conducted security research on the popular TAS vendors’ software and identified vulnerabilities ranging from critical to low severity. As a result of this, Relay Hawk established a vulnerability process to inform the vendors of these security vulnerabilities. This blog will cover this process in detail.

Relay Hawk’s Vulnerability Reporting Process

Transparency is an important pillar in the security industry, and this vulnerability process describes Relay Hawk’s systematic approach to disclosing vulnerabilities identified in the TAS industry. Relay Hawk will first identify the vulnerability, then report the vulnerability to the vendor. Next, Relay Hawk will inform verified members of the answering services industry about the vulnerability. Afterward, Relay Hawk will work with the software vendor on a patch and, when it is released, will communicate this information to the answering services running the software. Lastly, Relay Hawk will share insights and lessons learned from the vulnerability.

Identify the Vulnerability

Relay Hawk first conducts security research using popularized industry standards, open-source and commercial tools, and manual methods. By following established industry practices and leveraging our expertise in cybersecurity, Relay Hawk’s goal is to provide the vendors with accurate and actionable security findings to help improve the security posture of the answering service industry.

Relay Hawk will provide detailed answers to questions regarding the identified vulnerabilities during the research process. This process includes determining the scope of impact, clearly defining the nature of the vulnerability, and explaining why remediation is necessary. Additionally, Relay Hawk provides valuable resources and references for further learning about the vulnerabilities identified. By addressing these questions, Relay Hawk ensures that the vulnerability reports and findings are accurate and actionable.

Report the Vulnerability to the Vendor

Once Relay Hawk prepares the vulnerability report, we will promptly report the vulnerability to the vendor. We follow responsible disclosure practices, including contacting the vendor's security team through established channels or security@vendor.com. We will share the comprehensive vulnerability report with the vendor, enabling them to investigate and address the issue.

Vendors play the utmost important role in the vulnerability reporting and disclosure process. Relay Hawk recommends that vendors swiftly acknowledge any submitted vulnerability reports. Establishing clear procedures for handling and responding to security notices ensures efficient communication and resolution. To foster a collaborative approach, vendors can consider implementing bug bounty programs, incentivizing security researchers to disclose vulnerabilities responsibly. By rewarding researchers for their findings, vendors demonstrate their commitment to security and foster a cooperative relationship with the security community.

Notify Answering Services of the Vulnerability

At Relay Hawk, we believe in empowering industry members to protect their systems and customers. To achieve this, we promote the distribution of executive summaries to verified members of the answering service industry. These summaries highlight the severity of the vulnerability, provide guidance on pressing the vendor for remediation, and suggest mitigation steps for affected customers.

It is common in the security industry to publicly disclose vulnerabilities after the vendors remediate the issues. If a vendor does not remediate the vulnerability within an acceptable timeline, typically three to six months, some security researchers will publicly expose the vulnerability to shame the vendor into resolving the vulnerability. However, Relay Hawk will not shame the vendor by publicly disclosing the vulnerability but will rely on the answering service owners and operators to push the vendor to remediate the vulnerability.

Collaborate with the Vendor

Collaboration between Relay Hawk and the software vendor is vital for successful vulnerability remediation. At Relay Hawk, we advocate for an open and cooperative approach, allowing for effective coordination and timely resolution. By working together, both parties can address vulnerabilities efficiently, reducing the risk to systems and users.

Inform Answering Services That a Patch is Available

Once the vendor remediates the vulnerability, Relay Hawk will inform the answering services that a patch is available. It is now the responsibility of the answering service to quickly update the vulnerable software so that an attacker cannot exploit the vulnerability.

Share Insights and Lessons Learned

Relay Hawk may write high-level blog posts about vulnerabilities and their remediation to foster knowledge sharing and enhance industry-wide security practices. By sharing insights and lessons learned, vendors and answering services can educate each other and contribute to a more secure software landscape.


Relay Hawk will continue to conduct security research to achieve its mission of securing the telephone answering service industry. Relay Hawk will utilize the process laid out in this blog post to responsibly report vulnerabilities to the vendors and disclose the vulnerabilities to the answering services.

How Can You Help?

Our customers and their commitment to improving the TAS industry's security are essential for Relay Hawk to continue identifying security issues in the industry. You can support this research by becoming a Relay Hawk customer. Relay Hawk monitors your infrastructure for security misconfigurations and vulnerabilities, reviews your agents’ day-to-day technical processes and identifies ways to secure your business without impacting their workflow, and performs other security services to ensure that your business can thwart a cybersecurity attack.

Would you like to discuss cybersecurity in the TAS industry today? You can schedule a meeting with Relay Hawk today!

Keep up to date

Get the latest cybersecurity news and tips from our experts