Reporting a Security Issue

Here is our guidance on working with us to report a security issue in any of our products (including our website).

Security is paramount to us at Strivacity. We work diligently to ensure the organizations and brands depending on Strivacity can do so with the fundamental understanding that their information is secure and private.

We strongly believe in tackling and resolving security issues head on, and we value the crucial role security researchers play in helping us improve our products and services.

Guidelines For Responsible Disclosure

At Strivacity, we promise to investigate all reports of security issues and work quickly to address verifiable vulnerabilities.

Once we verify and address an uncovered issue, all we ask is you give us the opportunity to provide our customers with a fix before releasing any information publicly.

As we work together toward resolution, we will give you full public acknowledgement in helping improve the security of our offerings.

Excluded Issues

Unless you are able to demonstrate an issue which results in a chained attack with a high impact, we ask that you do not report to us any of the following issues:

1) Issues exploitable through clickjacking

2) Missing HTTP security headers

3) HTTP 404 codes/pages or other HTTP non-200 codes/pages

4) The OPTIONS / TRACE HTTP method enabled

5) Anti-MIME-Sniffing header X-Content-Type-Options

6) Username, email address or phone number discovery via a Login page error message

7) Username, email address or phone number via Forgotten Password error message

8) Error messages (e.g. Stack Traces, application or server errors)

9) Disclosure of known public files or directories, (e.g. robots.txt)

10) Clickjacking and issues only exploitable through clickjacking

11) CSRF on forms that are available to anonymous visitors

12) Logout Cross-Site Request Forgery (logout CSRF)

13) Remember my device or Remember my username functionality

14) Lack of Secure and HTTPOnly cookie flags

15) Lack of Security Speedbump when leaving the site

16) SSL Attacks such as BEAST, BREACH, Renegotiation attack

17) SSL Forward secrecy not enabled

18) SSL Insecure cipher suites

19) The Anti-MIME-Sniffing header X-Content-Type-Options

20) Spam related issues such as DMARC

Ready To Tell Us About A Security Issue?

First and foremost, please wait until we have acknowledged and fixed the issue before publicizing - for example, posting it to a public forum, sharing it on social media, and/or presenting it as part of a conference talk. We take the security and privacy of our customers extremely seriously, and their protection is of the utmost importance.

When you’re ready to report a security issue, please email us at security@strivacity.com. If you can, utilize our PGP key below.

Our PGP fingerprint is: CB4C 7C3D 3586 425B F7FB 4B01 500D 02FC AFDA 582F

In your email, please provide the following:

1) A detailed description relaying the steps to reproduce the vulnerability, as well as exactly where in the process the vulnerability is found

2) A classification of the vulnerability using NIST Common Vulnerability Scoring System (CVSS) - while this information is helpful to us, it is not required if you’re unable to provide

Strivacity PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF18U9wBEAC9L7EX7Ml/FIruy5gsxCU0ORyZtJiyaocRgysqYjxOHQcjpjPn
kalWWOdEZk2M/qtU2MgjXlmd4+/dAXLLGu3QUcS5mTuNBtSFjkk1TCWQYRMYrGpd
gKVNPp/f60wd+e3hQ7n1sXvCtVnrPwzEIgT/LKwqM/b5dABMR/73D7YTs5AUOYlD
AhsWeZyCFtexExGN9oC/2RcrjMX3ajOYd19BlNgZ2OrY0XMxXBJwPOqk+fDAYgZl
D3KRu9Z31WrPFg6NKF2H57BfebZtig1SHChN1alZfIQ2btNiE4nFTHdC936o2tXF
nboGe9cGw23SJlUDg3Wi/+k2zcUeu6IitVefNDORWZHxSaZScEJ4Uobp2JLUShKs
ipyBrIuRmthyCnnTvaQ+lJEkvLgLnaHA2FNPLRXUDbXhhrVSjJK0+XEEwDZvOMiL
H/EzyryjZb3B4jYJhRpJbIyLz6dJBOA6rcmN3E7khbY/yTNojcPNYjxO/CV6/w6Q
QfxPbIarsI/f4zWVyH1/L3I0KWkhNNxUQ9uY0gYYPG4GczPoqn5k5FDP4oJzp2f1
l32naAduxlsCkJ5DOc0wDlVngWfmkeyrGnKb3pVxrFmA/87FYKcBxu6HlWxQhi1g
Zn82olQGSKqfdySUGcQR6olRGL4dwrtPNn5wB0XRv9qYj1hL3gd7PGevywARAQAB
tD1TdHJpdmFjaXR5IFZ1bG5lcmFiaWxpdHkgU3VibWlzc2lvbiA8c2VjdXJpdHlA
c3RyaXZhY2l0eS5jb20+iQJOBBMBCAA4FiEEy0x8PTWGQlv3+0sBUA0C/K/aWC8F
Al18U9wCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQUA0C/K/aWC9ZCQ/5
AVRI6uI8y1nSQg30WElUUPgmLqvy+ZYcH+pHf4c7VUtm2qLVRs7VewMLNGlg8lo1
a1hylv241zMVL2rJouM6hO2IJFzkHlVPKboIxJlxnMNsVi2rLce+zFZGyzxYMDfR
qF/1LwSn2SQdbOfvZp7O4mSUk6tWhu7bOO8kxxPlOvIFC+47Kxn0rf0+bg2JRqxH
Bo915YiZfIwq7ILB9kiBukjFTZuLNoFlekoHxgK4OCnfCStNg8OXHkkRcQem2Ptk
bzPgPy3EtZ0BB/qiRN3kEHMdJCZkQ24W9wQ/fS8JkkTrsCVIbT7g/4MJ29mk1klx
u5nvsSI1heoRotNcAh0CI+AzuqSGsvov+kIcHKNNQvhZ8kb9Y43B8utJKiw3a8Al
yEjlqPSF4JVYC1HprEccyKpyzzMcLfYS6zi9iOiya/IuOfZLOOJASDrvD3HQguaa
s1te8vwHbS7GqUoVBe82ZCJju3Vj1ta5eOH/BlKIEr2ZJaSIbgdtXImu08prikl9
jju3Ne4KD9IDEA3XPhAF5cOR6TprcakDUS/BajZxv6AcHx+P258UrM05or3U/tgT
8mDSG/vbjE5gFkJtR+lRxK+wi38nUaExxvD3ikq36Oj2s2BxCXFnkZljub6kMtHL
V7bfsYvpaFUBG7n6ql/IPU1uGI5KntzSaIU7w2qieQG5Ag0EXXxT3AEQAMXDx5CY
NEl/laEF+tlJk2ux/j5LuyimYsgn8Ie47zRPIejR5apHiWM1D7bOOtn+q03SaVpY
SQjEKRbODgp3Y4I26mRUlrQ24jE/6/Nc6BFv9uw54mSzbbeICRuoWBVqEavLw99Z
oJO7UbHRPzj0+qmwyCZ7kPDoEJ2NStBIMnSOAYco/2DuctAbe3rLkam9EBRDxPmU
WVD61krYU2pIqjGHZQOKuCx/JwE5Qf86nKS5JHJY7blDJCp/A4XcmKX36mJBw622
YCSzaQ6RaLOb8Co3x2KBGf0T0swdEQQzTwtOpmRqxR9oyUhg+2sX4iiOtHG5I4P1
SL5u42d1D1+ksLWhtHOhDBlLgnuSKmWhSuCnuYxmvEUVpceB3Uxz1z3XTqKBFt2G
FjlXIIfx7EFj4Fpr1vA6w7Sib777z5oYJ7eMD0thVwMRUBJQQ1ILJQ9WSNo4wYKH
wD9xNAJorzzOClNFI1EROuzcJsoouS7yv4i6KUT2LoBGMoRrupEDzknPUk3NNTIo
fjAFtisEjnndmyFtauzwrFO/E5vWjr9pvuT/pt0/7eA7PwBsQnj9kpHXl+N3GaNI
pl9gSAUtD09fQ4nioKq7caXQZQfesmoDNK73f317gF7WgIialYbLNKGZiBh3uSwK
iKFAU2UUkp9h/qmoNsxVXpvMrvvOXwl3PD/jABEBAAGJAjYEGAEIACAWIQTLTHw9
NYZCW/f7SwFQDQL8r9pYLwUCXXxT3AIbDAAKCRBQDQL8r9pYL58+D/4uf6oJpz+j
29EfbZjUOFvIkiTYDDFNUv2hKIBVayYE7pUsAqg6Qs7Q6xb+CqZI0aOCly2Re+sr
7jS1mbqI+gZdgkGOi/3I1JKnrkaKOe9YPqswztt+Q9lLN1YDY+u6+TMWqsc0O0V3
aUO42gsw+nvYCAQfri6zp6k/OS3IhnryNtLHRpcxgcff82UfrMfZTMyvi0aQMut+
OKIZyuTbtchhxy57rokC3vYscYTzn1DsbdczasSs3tDWNdLN/p5MIrIDVbEeSa1z
TceFwWY3i63ncObn5Vm/Ukx0lJA5OqRPLERe1t6fScIdbPFXDhHPb+LBpO7P2xGF
UsbDVFzfHS4B3UmS/A6Jc2a2kc3I6MDrXpyLM/b/lUY7Dligx1hL7NY/KhECc1pG
+rrkgYgcxdN9fCJqDW0qwIniLfK/QLN4NEgalN3nuZnzdswSahlWc3H947hSCfOy
ZKktdrBUi25vGS/g1Fdc4Yo7aoFN0In6X6QZIZaKmU2t6ut4pU5yYP4EO0dWHYki
uCXTrezihnwabvD0D3WH56CDZtrBSBXNygI3RsPDkqfAfU7Bcw+LY1svSD5O8kp6
xgmwpWxqzPvB96WNLoftT8EHuyDMUGnDdVZ4QECjyX1qjKWnE0f2kx8MFbh8XQbz
nFbcQUHzDibU6/4RblpT33HBfW/HhMomzA==
=S0It
-----END PGP PUBLIC KEY BLOCK-----