What is a security vulnerability?
Draftable considers a security vulnerability to be any technical issue that incorrectly exposes customer data, internal data, or materially impacts the reliability & integrity of our system.
Some examples of security vulnerabilities:
- Broken Authentication: When authentication credentials are compromised, user sessions and identities can be hijacked by malicious actors to pose as the original user.
- SQL Injection: As one of the most prevalent security vulnerabilities, SQL injections attempt to gain access to database content via malicious code injection. A successful SQL injection can allow attackers to steal sensitive data, spoof identities, and participate in a collection of other harmful activities.
- Cross-Site Scripting: Much like an SQL Injection, a Cross-site scripting (XSS) attack also injects malicious code into a website. However, a Cross-site scripting attack targets website users, rather than the actual website itself, which puts sensitive user information at risk of theft.
- Cross-Site Request Forgery: A Cross-Site Request Forgery (CSRF) attack aims to trick an authenticated user into performing an action that they do not intend to do. This, paired with social engineering, can deceive users into accidentally providing a malicious actor with personal data.
- Security Misconfiguration: Any component of a security system that can be leveraged by attackers due to a configuration error can be considered a “Security Misconfiguration.”
A data leak occurs when data is accidentally leaked from within an organization, whereas a data breach results from data being stolen.
Data leakage is usually the result of a mistake. For example: sending a document with sensitive or confidential information to the wrong email recipient, saving the data to a public cloud file share, or having data on an unlocked device in a public place for others to see.
How do I report vulnerabilities?
Please send an email to securitydisclosures@draftable.com if you have identified a vulnerability.
Please include the following information in your report:
- Type of issue
- Product with the bug, and a URL
- The potential impact of the security vulnerability (e.g. what data can be affected)
- Instructions to reproduce the issue
- Any proof-of-concept or exploit code required to reproduce the issue