When reporting a security vulnerability in CivicPlus systems or software, please send to CivicPlus technical support a detailed step by step guide on how the security vulnerability is exploitable (a cyber-attack can be carried out using this vulnerability) so we can re-test and confirm it is an issue.

Vulnerability Scans

When something shows up on a security scan report as a vulnerability but it isn’t actually exploitable, this is known as a false positive. Often we get reports of security scanners that indicate issues such as old versions of libraries or generic vulnerabilities (jQuery, Cross-Site Scripting, X-Frame, Cookies, etc). The vast majority of these scans do not test whether an exploit is possible; they merely show instances where vulnerabilities could exist. Please do not send them 'as is.' Supplement any vulnerability scan reports with a step-by-step guide on how to exploit or trigger a problem.

Important Note: CivicPlus is not trying to ignore your security concerns. We conduct annual vulnerability scans and employ 3rd party penetration testers to ensure that our products have been pressure tested by security experts. What we are trying to avoid is noise and disruption to actual security productivity, which can come from superficial vulnerability testing results. Before engaging a provider to perform a vulnerability scan on your website, please consider your requirements and the existing resources we already have available to you:

1. Is your requirement to demonstrate that your website has passed a security scan or penetration test? CivicPlus can provide a 3rd party provider’s penetration and vulnerability testing formal statement of opinion upon request.
2. Is your requirement to be PCI compliant? Please ensure you are using a PCI compliant CivicPlus solution. CivicPlus can provide you with the formal 3rd party auditor’s Annual Attestation of Compliance (AOC) for any PCI compliant CivicPlus solution upon request.

Commonly Reported False Positives

• X-Frame-Options header is missing or Clickjacking - Frameable Page. This is commonly found by outdated security scanners. Our Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes the X-Frame-Options header.
• Use of JavaScript Library with Known Vulnerability or Outdated jQuery. An outdated jQuery library does not necessarily mean there is a software vulnerability, as the attack vector might not apply in the context of the software where it is used. jQuery has thousands of functionalities and we might not be using the ones exposed. jQuery might have a functionality with a bug that we use but that is just front end while the back end is mitigating the issue with another technology. Bottom line: in the case of libraries, it is nowhere as simple as looking at numbers of versions. We are already aware of instances where libraries need to be updated and whenever we have outdated libraries we already take steps to mitigate any known vulnerabilities until we are able to fully update these libraries. Please be able to demonstrate an exploit before reporting this issue.
• Cookie Does Not Contain The secure or HTTPOnly Attribute. None of the cookies not having the secure or HTTPOnly attributes contain sensitive information or any information that could lead to user impersonation or compromise of the application account (session hijacking). Any cookie we have which does contain this kind of information has both the secure and HTTPOnly attributes.
• Path-Based Vulnerability. Scanners often look for paths commonly used to access administrative pages or APIs but usually cannot ascertain whether these paths actually lead to sensitive/exploitable information or whether authentication is required. Please check whether the path actually redirects to publicly accessible pages that reveal sensitive information. Attempting to exploit a sensitive API path by adding /API doesn't redirect to any API directory, nor does adding /admin redirect to any unprotected administrative pages.
• Cross Site Scripting (XSS). XSS issues can be real issues and can also be false positives. It is important that you demonstrate the issue with a step-by-step approach to show it is not a false positive.

Commonly Reported Vulnerabilities that are NOT False Positives

• Active/Passive Mixed Content Vulnerability. This is a content-related vulnerability that does not require CivicPlus-side intervention to remediate. The remediation steps are outlined here. 
• HTTPS not enforced. We currently do not mandate this as a requirement for our client’s websites, but we strongly encourage it! Please see our help center articles on how to enforce HTTPS (enable HTTPS-only AKA HTTPS by Default).
• HSTS not enabled. Since this is also not something CivicPlus mandates on clients, please report this so that we are aware it is something you would like enabled. If your site already has an HSTS-supported hosting and security configuration we can enable it. If your site does not already have a supported configuration, we can provide you with all available options.