SECURITY

Reporting and Disclosure Policy

Inventiv welcomes the security community in helping us identify and fix security issues with our products or services.

REPORT A VULNERABILITY

Please email security@inventiv.io if you believe you have discovered a vulnerability in our software.

When you submit a new vulnerability, please provide the technical details below so we can best respond to the problem.

Report a Vulnerability
REPORT AN INCIDENT

Do you believe we’ve been compromised? Please let us know by emailing security@inventiv.io.

When submitting an incident report, please indicate what unexpected side effects you are seeing that might indicate a compromise.

Report an Incident

Report a Security Vulnerability

Please provide the following technical information when reporting a discovered security vulnerability. This information will help us assess the impact of the issue and form an appropriate response.

1. Provide steps to reproduce the issue, including any URLs or code involved.
2. If you are reporting a cross-site scripting (XSS) vulnerability, your exploit should display an alert dialog in the web browser. Preferably, this alert dialog should display the user’s authentication cookie.
3. For a cross-site request forgery (CSRF) vulnerability, please use a proper CSRF case when a third party causes the logged in victim to perform an action.
4. For a SQL injection attack, please provide an exploit extracting database data. Producing an error message is not sufficient to qualify your disclosure as an actionable vulnerability.
5. If demonstrative of the exploit, please provide any relevant traffic capture demonstrating your proof-of-concept.

Please refrain from sending links to non-Inventiv websites, or attaching potentially executable files such as EXE, DOC, or PDF documents.

We will not respond to a generic vulnerability scanner report. However, if you have a report that was used as a starting point for your examination of a specific vulnerability, we will gladly review relevant sections of a scanner report if you point us in the right direction.

Low-Priority Vulnerabilities

Please do not report low-priority security vulnerabilities. A low-priority vulnerability is anything that only exploits client-side vulnerabilities inherent to web browsers or the HTTP protocol. Additionally, please refrain from reporting content spoofing, phishing, error stack traces, or non-authentication cookies that are not marked as Secure or HTTPOnly.

Submitting Your Vulnerability

Please send your vulnerability report to security@inventiv.io. You should hear a response within a maximum of five business days.

Public Disclosure

Please further assist us by practicing responsible disclosure of any vulnerabilities you discover. Before disclosing a vulnerability publicly, we require that you first request permission from Inventiv. Inventiv will process requests for public disclosure on a per-report basis. These requests will only be considered once the reported vulnerability is fixed.

Report a Security Incident

Please provide the following technical information when reporting a security incident. This information will help us assess the impact of the issue and form an appropriate response.

1. Provide the steps to reproduce the issue, including any URLs or code involved.

Please refrain from sending links to non-Inventiv websites, or attaching potentially executable files such as EXE, DOC, or PDF documents.

Submitting Your Incident Report

Please send your incident report to security@inventiv.io. You should hear a response within a maximum of one business day.