Reporting a security issue

Security is paramount to us at Strivacity. We work diligently to ensure the organizations and brands depending on Strivacity can do so with the fundamental understanding that their information is secure and private.

We strongly believe in tackling and resolving security issues head on, and we value the crucial role security researchers play in helping us improve our products and services.

Guidelines for responsible disclosure

At Strivacity, we promise to investigate all reports of security issues and work quickly to address verifiable vulnerabilities.

Once we verify and address an uncovered issue, all we ask is you give us the opportunity to provide our customers with a fix before releasing any information publicly.

As we work together toward resolution, we will give you full public acknowledgement in helping improve the security of our offerings.

Excluded issues

Unless you are able to demonstrate an issue which results in a chained attack with a high impact, we ask that you do not report to us any of the following issues:

Issues exploitable through clickjacking
Missing HTTP security headers
HTTP 404 codes/pages or other HTTP non-200 codes/pages
The OPTIONS / TRACE HTTP method enabled
Anti-MIME-Sniffing header X-Content-Type-Options
Username, email address or phone number discovery via a Login page error message
Username, email address or phone number via Forgotten Password error message
Error messages (e.g. Stack Traces, application or server errors)
Disclosure of known public files or directories, (e.g. robots.txt)
Clickjacking and issues only exploitable through clickjacking
CSRF on forms that are available to anonymous visitors
Logout Cross-Site Request Forgery (logout CSRF)
Remember my device or Remember my username functionality
Lack of Secure and HTTPOnly cookie flags
Lack of Security Speedbump when leaving the site
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cipher suites
The Anti-MIME-Sniffing header X-Content-Type-Options
Spam related issues such as DMARC

Ready to tell us about a security issue?

First and foremost, please wait until we have acknowledged and fixed the issue before publicizing - for example, posting it to a public forum, sharing it on social media, and/or presenting it as part of a conference talk. We take the security and privacy of our customers extremely seriously, and their protection is of the utmost importance.

When you’re ready to report a security issue, please email us at [email protected]. If you can, utilize our PGP key below.

📘
Our PGP fingerprint is: CB4C 7C3D 3586 425B F7FB 4B01 500D 02FC AFDA 582F

In your email, please provide the following:

1) A detailed description relaying the steps to reproduce the vulnerability, as well as exactly where in the process the vulnerability is found

2) A classification of the vulnerability using NIST Common Vulnerability Scoring System (CVSS) - while this information is helpful to us, it is not required if you’re unable to provide

Strivacity PGP public key