When reporting a security vulnerability in CivicPlus systems or software, please send to CivicPlus technical support a detailed step-by-step guide on how the security vulnerability is exploitable (a cyber-attack can be carried out using this vulnerability) so we can re-test and confirm it is an issue.

Vulnerability Scans

A vulnerability scan is an automated program designed to check your website for potential vulnerabilities. The vast majority of these scans do not test whether an exploit is possible; they merely show instances where vulnerabilities could exist. When something shows up on one of these scans as a vulnerability but isn’t exploitable, this is known as a false positive.

Penetration Tests

A penetration test, also known as a pen test, is a simulated cyberattack against your website to safely check for exploitable vulnerabilities. Pen test reports should provide details on how exploitability was confirmed for any found vulnerabilities. See requirements for conducting a penetration test and submit all necessary information before beginning testing.

Reporting Requirements

1. We value the safety and security of our clients and put forth our best effort to ensure that potential security vulnerabilities are examined thoroughly and promptly. In order to facilitate these investigations, we ask that you submit pen test reports as they provide us the best information when attempting to discern whether there are real vulnerabilities and how they can be exploited. We ask that you only report vulnerabilities found from vulnerability scans if they concern website-specific or server-specific security configurations, such as HTML headers, TLS settings, and SSL certificates.
2. Submit a request to CivicEngage technical support.  Reports may be sent encrypted or placed somewhere requiring log-in to access (i.e. Dropbox).  CivicEngage technical support can help facilitate this.

Important Note: Before engaging a provider to perform vulnerability testing on your website, please consider your requirements and the existing resources we already have available to you:

1. Is your requirement to demonstrate that your website has passed a security scan or penetration test? CivicEngage Central is 3rd party penetration and vulnerability tested bi-annually and we can provide a 3rd party provider’s penetration and vulnerability testing formal statement of opinion upon request.
2. Is your requirement to be PCI compliant? Please ensure you are using a PCI-compliant CivicPlus solution. CivicPlus can provide you with the formal 3rd party auditor’s Annual Attestation of Compliance (AOC) for any PCI compliant CivicPlus solution upon request.

Commonly Found False Positives

• X-Frame-Options header is missing or Clickjacking - Frameable Page. This is commonly found by outdated security scanners. Our Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes the X-Frame-Options header.
• Use of JavaScript Library with Known Vulnerability or Outdated jQuery. An outdated jQuery library does not necessarily mean there is a software vulnerability, as the attack vector might not apply in the context of the software where it is used. jQuery has thousands of functionalities and we might not be using the ones exposed. jQuery might have functionality with a bug that we use but that is just the front end while the back end is mitigating the issue with another technology. Bottom line: in the case of libraries, it is nowhere as simple as looking at the numbers of versions. We are already aware of instances where libraries need to be updated and whenever we have outdated libraries we already take steps to mitigate any known vulnerabilities until we are able to fully update these libraries. Please be able to demonstrate an exploit before reporting this issue.
• Cookie Does Not Contain The secure or HTTPOnly Attribute. None of the cookies not having secure or HTTPOnly attributes contain sensitive information or any information that could lead to user impersonation or compromise of the application account (session hijacking). Any cookie we have which does contain this kind of information has both the secure and HTTPOnly attributes.
• Path-Based Vulnerability. Scanners often look for paths commonly used to access administrative pages or APIs but usually cannot ascertain whether these paths actually lead to sensitive/exploitable information or whether authentication is required. Please check whether the path actually redirects to publicly accessible pages that reveal sensitive information. Attempting to exploit a sensitive API path by adding /API doesn't redirect to any API directory, nor does adding /admin redirect to any unprotected administrative pages.
• Cross-Site Scripting (XSS). XSS issues can be real issues and can also be false positives. It is important that you demonstrate the issue with a step-by-step approach to show it is not a false positive.

Commonly Found Vulnerabilities that are NOT False Positives

• Active/Passive Mixed Content Vulnerability. This is a content-related vulnerability that does not require CivicPlus-side intervention to remediate. The remediation steps are outlined here. 
• HTTPS not enforced. We currently do not mandate this as a requirement for our client’s websites, but we strongly encourage it! Please see our help center articles on how to enforce HTTPS (enable HTTPS-only AKA HTTPS by Default).
• HSTS not enabled. Since this is also not something CivicPlus mandates on clients, please report this so that we are aware it is something you would like enabled. If your site already has an HSTS-supported hosting and security configuration we can enable it. If your site does not already have a supported configuration, we can provide you with all available options.