Security is paramount to us at Strivacity. We work diligently to ensure the organizations and brands depending on Strivacity can do so with the fundamental understanding that their information is secure and private.
We strongly believe in tackling and resolving security issues head on, and we value the crucial role security researchers play in helping us improve our products and services.
Guidelines for responsible disclosure
At Strivacity, we promise to investigate all reports of security issues and work quickly to address verifiable vulnerabilities.
Once we verify and address an uncovered issue, all we ask is you give us the opportunity to provide our customers with a fix before releasing any information publicly.
As we work together toward resolution, we will give you full public acknowledgement in helping improve the security of our offerings.
Unless you are able to demonstrate an issue which results in a chained attack with a high impact, we ask that you do not report to us any of the following issues:
- Issues exploitable through clickjacking
- Missing HTTP security headers
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- The OPTIONS / TRACE HTTP method enabled
- Anti-MIME-Sniffing header X-Content-Type-Options
- Username, email address or phone number discovery via a Login page error message
- Username, email address or phone number via Forgotten Password error message
- Error messages (e.g. Stack Traces, application or server errors)
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous visitors
- Logout Cross-Site Request Forgery (logout CSRF)
- Remember my device or Remember my username functionality
- Lack of Secure and HTTPOnly cookie flags
- Lack of Security Speedbump when leaving the site
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
First and foremost, please wait until we have acknowledged and fixed the issue before publicizing - for example, posting it to a public forum, sharing it on social media, and/or presenting it as part of a conference talk. We take the security and privacy of our customers extremely seriously, and their protection is of the utmost importance.
Our fingerprint is: CB4C 7C3D 3586 425B F7FB 4B01 500D 02FC AFDA 582F
In your email, please provide the following:
- A detailed description relaying the steps to reproduce the vulnerability, as well as exactly where in the process the vulnerability is found
- A classification of the vulnerability using NIST Common Vulnerability Scoring System (CVSS) - while this information is helpful to us, it is not required if you’re unable to provide