When reporting a security vulnerability in CivicPlus systems or software, please send to CivicPlus technical support a detailed step by step guide on how the security vulnerability is exploitable (a cyber-attack can be carried out using this vulnerability) so we can re-test and confirm it is an issue.
When something shows up on a security scan report as a vulnerability but it isn’t actually exploitable, this is known as a false positive. Often we get reports of security scanners that indicate issues such as old versions of libraries or generic vulnerabilities (jQuery, Cross-Site Scripting, X-Frame, Cookies, etc). The vast majority of these scans do not test whether an exploit is possible; they merely show instances where vulnerabilities could exist. Please do not send them 'as is.' Supplement any vulnerability scan reports with a step-by-step guide on how to exploit or trigger a problem.
Important Note: CivicPlus is not trying to ignore your security concerns. We conduct annual vulnerability scans and employ 3rd party penetration testers to ensure that our products have been pressure tested by security experts. What we are trying to avoid is noise and disruption to actual security productivity, which can come from superficial vulnerability testing results. Before engaging a provider to perform a vulnerability scan on your website, please consider your requirements and the existing resources we already have available to you:
- Is your requirement to demonstrate that your website has passed a security scan or penetration test? CivicPlus can provide a 3rd party provider’s penetration and vulnerability testing formal statement of opinion upon request.
- Is your requirement to be PCI compliant? Please ensure you are using a PCI compliant CivicPlus solution. CivicPlus can provide you with the formal 3rd party auditor’s Annual Attestation of Compliance (AOC) for any PCI compliant CivicPlus solution upon request.
Commonly Reported False Positives
- X-Frame-Options header is missing or Clickjacking - Frameable Page. This is commonly found by outdated security scanners. Our Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes the X-Frame-Options header.
- Cookie Does Not Contain The secure or HTTPOnly Attribute. None of the cookies not having the secure or HTTPOnly attributes contain sensitive information or any information that could lead to user impersonation or compromise of the application account (session hijacking). Any cookie we have which does contain this kind of information has both the secure and HTTPOnly attributes.
- Path-Based Vulnerability. Scanners often look for paths commonly used to access administrative pages or APIs but usually cannot ascertain whether these paths actually lead to sensitive/exploitable information or whether authentication is required. Please check whether the path actually redirects to publicly accessible pages that reveal sensitive information. Attempting to exploit a sensitive API path by adding /API doesn't redirect to any API directory, nor does adding /admin redirect to any unprotected administrative pages.
- Cross Site Scripting (XSS). XSS issues can be real issues and can also be false positives. It is important that you demonstrate the issue with a step-by-step approach to show it is not a false positive.
Commonly Reported Vulnerabilities that are NOT False Positives
- Active/Passive Mixed Content Vulnerability. This is a content-related vulnerability that does not require CivicPlus-side intervention to remediate. The remediation steps are outlined here.
- HTTPS not enforced. We currently do not mandate this as a requirement for our client’s websites, but we strongly encourage it! Please see our help center articles on how to enforce HTTPS (enable HTTPS-only AKA HTTPS by Default).
- HSTS not enabled. Since this is also not something CivicPlus mandates on clients, please report this so that we are aware it is something you would like enabled. If your site already has an HSTS-supported hosting and security configuration we can enable it. If your site does not already have a supported configuration, we can provide you with all available options.