Riva takes security, trust, and transparency seriously. We appreciate the work of security researchers and have developed a program to make it easier to report vulnerabilities to Riva and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities.
Any web properties owned by Riva and related companies are in scope.
Eligibility and Disclosure
For your submission to be eligible:
- You must agree to our Vulnerability Disclosure Policy.
- You must be the first person to responsibly disclose an issue unknown to Riva.
All legitimate reports will be reviewed and assessed by Riva’s Infrastructure and Core Services (ICS) team.
Detection/Collection—Vulnerability identification via vulnerability analysis, reported vulnerability information, and direct notification of vulnerabilities. After receiving notification of a vulnerability, an initial surface analysis is performed to eliminate duplicates and or false alarms.
Analysis—Once the vulnerabilities are confirmed, Riva analysts will work to understand the vulnerabilities by examining and identifying the issues, including the potential threat.
Mitigation Coordination—After analyzing a vulnerability, Riva analysts will continue to establish and improve secure and trusted control systems and overall technology assessment and testing functions. Riva analysts will work in a time-efficient manner to effectively resolve a given vulnerability. Riva will apply its experience successfully coordinating responses to identified vulnerabilities that affect the performance of our product/service.
Application of Mitigation—Riva analysts will work to allow sufficient time to apply mitigation strategies prior to disclosure.
Disclosure—After coordinating with applicable or impacted staff and customers, and gathering technical and threat information, Riva will take appropriate steps to notify the applicable personnel about the vulnerability. Riva strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation of vulnerabilities.
The following conditions are out-of-scope for the vulnerability disclosure program:
- Physical attacks against Riva employees, offices, and data centers.
- Social engineering of Riva employees, contractors, vendors, or service providers.
- Knowingly posting, transmitting, uploading, linking to, or sending malware of any type.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
- Any vulnerability obtained through the compromise of Riva customer or employee accounts.
- Being an individual that is on or residing in any country that is on Canadian or U.S sanctions lists.
- If the vulnerability has already been publicly disclosed.
- Very low potential impact to critical infrastructure.
- Very low possible threat to health and safety.
- Vendor already creating an upgrade or patch.
- Vendor already had given an estimated time required for customers to obtain, test, and apply a relevant patch.
Once your email has been submitted, Riva will contact you to arrange a method of secure communication.
All aspects of this process are subject to change without notice and to case-by-case exceptions.