We have recently implemented the use of Quoting to push out from HubSpot all of our order forms to prospective customers, and upon doing so we have noted the major security flaw the URL generation has the potential to cause. The public nature of the quote, post submission/ approval, is a security risk, leaving pricing, customer and contract information available. Although the auto-generated slugs add a level of security in its complexity, there is still potential for public access and user sharing, of which is unacceptable for such a sensitive process in a customer's journey. A few suggestions to mitigate/ remove the risk here could include; 1. Introducing password protection against quotes sent out/ URL's generated from the process, shared only via individuals with access to the quote produced. 2. Locking down (unsure as to how) URL access based on the senders/ buyers on the quote being built/ sent out. 3. Making the URL generation 'optional', allowing generation of a quote without public URL against it. The first two options above are more favourable, owing to utilising the e-signature platform via linking.
...read more