StrongBox IT invites you to help the company bolster its existing security measures and adapt to new electronic threats. The security and privacy of clients' confidential information are important to us, and we take our responsibility of protecting this information seriously. We use technical, administrative and physical controls to safeguard this data.
We want to hear from security researchers who have information related to suspected security vulnerabilities on any of StrongBox IT's services exposed to the internet. We value your work and are committed to working with you. Please report vulnerabilities to us in accordance with this Responsible Disclosure Program. Thank you in advance for your contribution.
This program covers the StrongBox IT website and Modshield SB, a customized web application firewall provided by StrongBox IT
Reporting a Vulnerability
Please send us vulnerabilities you identify. You can reach us at firstname.lastname@example.org. If you discover personally identifiable information while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately.
The report should include sufficient information for us to validate and reproduce the issue, including:
- The service affected, such as the URL, IP address or product version.
- A detailed description of the vulnerability.
- A description of how the vulnerability was discovered (including tools that were used) or what steps you were taking when you encountered the vulnerability.
- A description of the impact of the vulnerability and likely attack scenario.
- Proof of concept, or PoC, code, if applicable; alternatively, please supply reproduction instruction demonstrating how the vulnerability might be exploited.
- A suggested patch or remediation action if you are aware of how to fix the vulnerability.
If you identify a vulnerability in accordance with this program, StrongBox IT commits to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.
By submitting your report to StrongBox IT:
- You agree not to publicly disclose the vulnerability until StrongBox IT agrees to a public disclosure.
- You agree to keep all communication with StrongBox IT confidential.
- You represent the report is original to you and that if you submit a third-party report, you represent that you have the permission to do so.
- You allow StrongBox IT and its subsidiaries the unconditional ability to use, distribute or disclose information provided in your report.
- You agree that StrongBox IT, in its sole determination, may reward or recognize reports made in accordance with this Responsible Disclosure Program.
Our Expectations With Your Discovery
If you are considering submitting a vulnerability report, your values clearly align with ours here at StrongBox IT. You know how critical security is and you want to protect consumer information. Understanding this shared perspective, we do not want you to take on or create unnecessary risk in order to discover a vulnerability. While we support acts taken in good faith to discover and report vulnerabilities, we expressly prohibit any of the following conduct:
- Taking any action that will negatively affect StrongBox IT, its subsidiaries or agents.
- Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
- Disclosing any personally identifiable information discovered to any third party.
- Destruction or corruption of data, information or infrastructure, including any attempt to do so.
- Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for StrongBox IT).
- Any exploitation actions, including accessing or attempting to access StrongBox IT data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
- Attacks on third-party services.
- Denial of Service attacks or Distributed Denial of Services attacks.
- Any attempt to gain physical access to StrongBox IT property or data centers.
- Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
- Violation of any laws or agreements in the course of discovering or reporting any vulnerability.
Out of Scope Vulnerabilities
The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
- Third-party applications, websites or services that integrate with or link to StrongBox IT.
- Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
- Low level Vulnerabilities with a CVSS score of 4.3 or lesser. You can use this CVSS calculator for reference : https://chandanbn.github.io/cvss/#CVSS:3.1
Please DO NOT report the following:
- Cross Origin Resource Sharing (CORS)
- DVWA related issues (without any demonstrated impact). NOTE: Reports related to payloads that bypass our firewall are always welcomed
- XMLRPC, WP-JSON related issues (without any demonstrated impact)