Report a security issue

Security is paramount to us at Strivacity. We work diligently to ensure the organizations and brands depending on Strivacity can do so with the fundamental understanding that their information is secure and private.

We strongly believe in tackling and resolving security issues head on, and we value the crucial role security researchers play in helping us improve our products and services.

Guidelines for responsible disclosure

At Strivacity, we promise to investigate all reports of security issues and work quickly to address verifiable vulnerabilities.

Once we verify and address an uncovered issue, all we ask is you give us the opportunity to provide our customers with a fix before releasing any information publicly.

As we work together toward resolution, we will give you full public acknowledgement in helping improve the security of our offerings.

Excluded Issues

Unless you are able to demonstrate an issue which results in a chained attack with a high impact, we ask that you do not report to us any of the following issues:

  1. Issues exploitable through clickjacking
  2. Missing HTTP security headers
  3. HTTP 404 codes/pages or other HTTP non-200 codes/pages
  4. The OPTIONS / TRACE HTTP method enabled
  5. Anti-MIME-Sniffing header X-Content-Type-Options
  6. Username, email address or phone number discovery via a Login page error message
  7. Username, email address or phone number via Forgotten Password error message
  8. Error messages (e.g. Stack Traces, application or server errors)
  9. Disclosure of known public files or directories, (e.g. robots.txt)
  10. Clickjacking and issues only exploitable through clickjacking
  11. CSRF on forms that are available to anonymous visitors
  12. Logout Cross-Site Request Forgery (logout CSRF)
  13. Remember my device or Remember my username functionality
  14. Lack of Secure and HTTPOnly cookie flags
  15. Lack of Security Speedbump when leaving the site
  16. SSL Attacks such as BEAST, BREACH, Renegotiation attack
  17. SSL Forward secrecy not enabled
  18. SSL Insecure cipher suites
  19. The Anti-MIME-Sniffing header X-Content-Type-Options

Ready to tell us about a security issue?

First and foremost, please wait until we have acknowledged and fixed the issue before publicizing - for example, posting it to a public forum, sharing it on social media, and/or presenting it as part of a conference talk. We take the security and privacy of our customers extremely seriously, and their protection is of the utmost importance.

When you’re ready to report a security issue, please email us at security@strivacity.com. If you can, utilize our PGP key, available here: Strivacity PGP public key.

Our fingerprint is:
CB4C 7C3D 3586 425B F7FB 4B01 500D 02FC AFDA 582F

In your email, please provide the following:

  • A detailed description relaying the steps to reproduce the vulnerability, as well as exactly where in the process the vulnerability is found
  • A classification of the vulnerability using NIST Common Vulnerability Scoring System (CVSS) - while this information is helpful to us, it is not required if you’re unable to provide