SSC Detailed Report

Detailed Report of securityscorecard.
com - Prepared on 7/20/22 | of
DETAILED REPORT
Scorecard for
SecurityScorecard
Get the full picture with SecurityScorecard

SecurityScorecard offers ongoing self-monitoring, history reports, CSV data exports, and more to help security teams
protect their organizations. For full free access to your organization’s Scorecard, create an account today at bit.ly/2P8okyb.
Learn more about SecurityScorecard at bit.ly/2xXNg4N today.
Security-related analyses, including ratings, and statements in the Content of this document are statements of opinion of relative future security risks of entities as of the date they are expressed, and not statements
ofcurrent or historical fact as to safety of transacting with any entity, recommendations regarding decision to do business with any entity, endorsements of the accuracy of any of the data or conclusions or attempts
toindependently assess or vouch for the security measures of any entity. SECURITYSCORECARD PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, (1) ANYWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, (2) ACCURACY, RESULTS, TIMELINESS AND COMPLETENESS, (3) FREEDOM FROM
BUGS, SOFTWARE ERRORS ANDDEFECTS, (4) THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED AND (5) THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR
HARDWARE CONFIGURATION.The views and opinions expressed in any comment in this Company’s Scorecard are those of the authors of such comments, and do not reflect the official policy, position or views of
SecurityScorecard or any other entity.
What is SecurityScorecard?
SecurityScorecard is a security ratings service that uses an easy-to-understand A-F grading system to rate companies on their overall
security as well as across 10 major risk factors. A company with a C, D, or F rating is 5.4 times more likely to suffer a consequential
breach versus A or B-rated companies1. Certain risk factors, such as application security and patching cadence, are even more
indicative of the likelihood of breach. An F versus an A in these factors may translate into a tenfold increase in the likelihood of a data
breach or successful attack.
Learn more about SecurityScorecard’s rating system at bit.ly/2zMLSmW.
1 “New SecurityScorecard Research Can Help You Detect a Data Breach Before It Happens” (https://bit.ly/2yc0JVN)
Next Steps: This company has an A as of Set a plan to

Stay at an A July 20, 2022 maintain your A
1. Create an account
This file has a lot of detail but remember, it’s only for one point in time. Create an account to get full
free access to your organizaton’s Scorecard along with continuous self-monitoring, history reports,
CSV data exports, and more.
2. Validate your Digital Footprint

Once you have an account, review your company’s Digital Footprint, the assets SecurityScorecard
found as potentially attributable to your company, that affect the ratings in your Scorecard. Request
removal or addition of IPs as needed.
3. Review issue findings

Investigate the contents of your Scorecard with your team(s). It’s a win for your company’s security
posture when you identify loose ends of which you weren’t aware.
4. Spot new issues, maintain your A

Whether you’ve deployed a fix, found assets that don’t belong to your company, or want to share
information about compensating controls, you can let us know by remediating the identified
finding(s) and submitting them for resolution approval. Resolutions are handled by our Support
team, which will resolve any outstanding item within three business days. Remediate issues within
the platform or email support@securityscorecard.com.
We're here to The SecurityScorecard platform is based on transparency and collaboration. Our Customer
Reliability Support team provides remediation and resolution services at no charge and are happy
help to work with you and your customers to resolve any issues. If you need assistance at any stage, get
in touch by emailing support@securityscorecard.io.
Scorecard Overview
SecurityScorecard DOMAIN: securityscorecard.com
94 Security Score INDUSTRY: TECHNOLOGY
Factors
83 APPLICATION SECURITY 5 ISSUES 100 IP REPUTATION 0 ISSUES
100 CUBIT SCORE 0 ISSUES 100 INFORMATION LEAK 0 ISSUES
100 DNS HEALTH 0 ISSUES 92 NETWORK SECURITY 1 ISSUE
100 ENDPOINT SECURITY 0 ISSUES 85 PATCHING CADENCE 4 ISSUES
100 HACKER CHATTER 0 ISSUES 100 SOCIAL ENGINEERING 0 ISSUES
Comment by SecurityScorecard
SecurityScorecard is the global leader in cybersecurity ratings with over 12 million companies continuously rated. Founded by
security and risk experts SecurityScorecard’s patented rating technology is used by thousands of organizations for enterprise risk
management, third-party risk management, board reporting, due diligence, and cyber insurance underwriting. Every company has
the universal right to their trusted and transparent SecurityScorecard rating.
30-Day Score History

The chart below shows the evolution of the company’s relative security ranking over time. Peaks in score performance represent
improvements to overall security, remediation of open isues, and improved efforts to protect company infrastructure. Dips reflect
introduction of system and application misconfigurations, prolonged malware activity.
100
90
80
70
60
0
Jun 19 Jun 26 Jul 3 Jul 10 Jul 17
securityscorecard.com Technology
Action Items
FACTOR SEVERITY SCORE IMPACT ISSUES DETECTED
Application Security -0.9 Content Security Policy (CSP) Missing. A Content Security Policy (CSP) directive tells a
web browser what locations it can load resources from when rendering a webpage.
This helps prevent mistaken or malicious resources from being injected into a
webpage (and then executed by a user’s browser).
-1.4 Website Does Not Implement HSTS Best Practices. Even if a website is protected with
HTTPS, most browsers will still try first to connect to the HTTP version of the website
unless explicitly specified. At that moment, visitors to the website are vulnerable to a
man-in-the-middle attacker that can prevent them from reaching the HTTPS version of
the website they intended to visit and instead divert them to a malicious website. The
(expand) HSTS header ensures that, after a user's initial visit to the website, that they
will not be susceptible to this man-in-the-middle attack because they will immediately
connect to the HTTPS-protected website.
-1.1 Content Security Policy Contains Broad Directives. A Content Security Policy (CSP)
directive tells a web browser what locations it can load resources from when
rendering a webpage. This helps prevent mistaken or malicious resources from being
injected into a webpage (and then executed by a user’s browser).
-0.4 Website does not implement X-Content-Type-Options Best Practices. Browsers will
sometimes analyze the content themselves and handle it counter to the MIME type
header; this can lead to security issues and execution of malicious code. For example,
an attacker could hide malicious code with an image extension, where the browser
does introspection and executes it as JavaScript.
-0.4 Website does not implement X-Frame-Options Best Practices. Not explicitly setting X-
Frame-Options allows other, untrusted, websites to embed your site in a frame on
their page. This can be used to make social engineering attacks appear more
legitimate, or can even be used for clickjacking attacks.
Network Security -0.8 SSL/TLS Service Supports Weak Protocol. A TLS service was observed supporting
weak protocols.
Patching Cadence -0.4 High Severity CVEs Patching Cadence. High severity vulnerability seen on network
more than 45 days after CVE was published.
-0.4 High-Severity Vulnerability in Last Observation. We observed a high-severity

vulnerability during our last scan, which may still be publicly exposed.
<-0.1 Medium Severity CVEs Patching Cadence. Medium severity vulnerability seen on
network more than 90 days after CVE was published.
-0.1 Medium-Severity Vulnerability in Last Observation. We observed a medium-severity

vulnerability during our last scan, which may still be publicly exposed.
83 APPLICATION SECURITY
The Web Application Vulnerability module uses incoming threat intelligence from known exploitable conditions identified via:
whitehat CVE databases, blackhat exploit databases, and sensitive findings indexed by major search engines. The module ingests
data from multiple public data sets, third party feeds, and an internal proprietary indexing and aggregation engine.
The score determines the likelihood of an upcoming web application breach, and checks for any existing defacement code. Presence
of vulnerable applications, outdated versions, and active defacements are used to calculate the overall grade.
HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE
There are no High Severity Issues Content Security Policy (CSP) 2 Content Security Policy 3 There are no Positive Signals for
for Application Security Missing Contains Broad Directives Application Security
Website Does Not Implement 3 Website does not implement 4
HSTS Best Practices X-Content-Type-Options Best
Practices
INFORMATIONAL
Website does not implement 4
X-Frame-Options Best There are no Informational Signals
Practices for Application Security
Content Security Policy (CSP) Missing -0.9 SCORE IMPACT

A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when
rendering a webpage.
This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a
user’s browser).
Description Recommendation
The Content Security Policy provides a valuable safety net that Enable CSP headers via your webserver configuration.
protects your website from malicious cross-site scripting (XSS)
attacks. A well configured policy will stop an attacker
attempting to inject their code, or references to other malicious
content, into your website.
Without a Content Security Policy, it's easy for website
developers to make mistakes that allow an attacker to inject
content that changes the way the website behaves.
2 findings
DOMAIN SCHEME OBSERVATIONS LAST OBSERVED FINAL URL
securityscorecard.io https 1991 Date and time URL
securityscorecard.com https 226 Date and time URL
Content Security Policy Contains Broad Directives -1.1 SCORE IMPACT

A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering
a webpage.
This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a
user’s browser).
The Content Security Policy (CSP) header can mitigate Cross- Explicitly specify trusted sources for your script-src and object-src
Site Scripting (XSS) attacks by prohibiting the browser from policies. Ideally you can use the 'self' directive to limit scripts and
loading resources on your page from domains that you don't objects to only those on your own domain, or you can explicitly
explicitly trust. However, by using overly broad methods of specify domains that you trust and rely upon for your site to
describing what you trust (ie. 'http:', '*', 'http://*') for your script- function.
src and object-src directives, or your default-src directive in the
absence of those directives, this key feature of the CSP header
can be bypassed by an attacker.
3 findings
DOMAIN SCHEME OBSERVATIONS LAST OBSERVED FINAL URL
Evidence :
securityscorecard.com https 810 Date and time URL
Evidence :
Evidence :
Website Does Not Implement HSTS Best Practices -1.4 SCORE IMPACT
Even if a website is protected with HTTPS, most browsers will still try first to connect to the HTTP version of the
website unless explicitly specified. At that moment, visitors to the website are vulnerable to a man-in-the-middle
attacker that can prevent them from reaching the HTTPS version of the website they intended to visit and instead
divert them to a malicious website. The (expand) HSTS header ensures that, after a user's initial visit to the website,
that they will not be susceptible to this man-in-the-middle attack because they will immediately connect to the HTTPS-
protected website.
HTTP Strict Transport Security is an HTTP header that instructs Every web application (and any URLs traversed to arrive at the
clients (e.g., web browsers) to only connect to a website over website via redirects) should set the HSTS header to remain in
encrypted HTTPS connections. Clients that respect this header effect for at least 12 months (31536000 seconds). It is also
will automatically upgrade all connection attempts from HTTP recommended to set the 'includeSubDomains' directive so that
to HTTPS. requests to subdomains are also automatically upgraded to
After a client receives the HSTS header upon its first website HTTPS.
visit, future connections to that website are protected against An acceptable HSTS header would declare:
Man-in-the-Middle attacks that attempt to downgrade to an Strict-Transport-Security: max-age=31536000;
unencrypted HTTP connection. includeSubDomains;
The browser will expire the HTTP Strict Transport Security
header after the number of seconds configured in the max-age
attribute.
3 findings
ANALYSIS DOMAIN SCHEME OBSERVATIONS LAST OBSERVED FINAL URL
no_hsts securityscorecard.io https 47503 Date and time URL
hsts_missing_subdomain securityscorecard.io https 1967 Date and time URL
hsts_age_too_short securityscorecard.com https 4118 Date and time URL
Website does not implement X-Content-Type-Options Best -0.4 SCORE IMPACT

Practices
Browsers will sometimes analyze the content themselves and handle it counter to the MIME type header; this can
lead to security issues and execution of malicious code. For example, an attacker could hide malicious code with an
image extension, where the browser does introspection and executes it as JavaScript.
A MIME type is an HTTP header that indicates the type of Add the following header to responses from this website: 'X-
content returned in a response and how it should be handled Content-Type-Options: nosniff'
and displayed by the browser.
Browsers will sometimes analyze the content themselves and
handle it counter to the MIME type header; this can lead to
security issues and execution of malicious code.
The X-Content-Type-Options header indicates that browsers
should always trust the declared MIME type from the server
and not attempt to analyze the content themselves.
Public comment on issue

Add a comment
4 findings
x_content_type_options_m securityscorecard.io https 48021 Date and time URL

issing

issing
x_content_type_options_m securityscorecard.com https 592 Date and time URL
issing

issing
Website does not implement X-Frame-Options Best Practices -0.4 SCORE IMPACT
Not explicitly setting X-Frame-Options allows other, untrusted, websites to embed your site in a frame on their page.
This can be used to make social engineering attacks appear more legitimate, or can even be used for clickjacking
attacks.
The X-Frame-Options HTTP response header can be used to Add one of the following headers, using the 'DENY' or 'ALLOW-
indicate whether a browser should be allowed to render a FROM' directive, to responses from this website: X-Frame-Options:
page in a '<frame>', '<iframe>' or '<object>'. Sites can use this to DENY' X-Frame-Options: ALLOW-FROM https://example.com/'
avoid clickjacking attacks, by ensuring that their content is not
embedded into other websites.
4 findings
x_frame_options_missing securityscorecard.io https 48026 Date and time URL
x_frame_options_missing securityscorecard.com https 4151 Date and time URL
100 CUBIT SCORE
This proprietary module measures a variety of security issues that a company might have. For example, we check public threat
intelligence databases for IP addresses that have been flagged. These misconfigurations may have high exploitability and could
cause significant harm to the privacy of your data and infrastructure
There are no High Severity Issues There are no Medium Severity There are no Low Severity Issues There are no Positive Signals for
for Cubit Score Issues for Cubit Score for Cubit Score Cubit Score
INFORMATIONAL
There are no Informational Signals

for Cubit Score
No issues found
100 DNS HEALTH
This module measures the health and configuration of a company's DNS settings. It validates that no malicious events occurred in the
passive DNS history of the company's network. It also helps validate that mail servers have proper protection in place to avoid
spoofing. It also helps verify that DNS servers are configured correctly.
for DNS Health Issues for DNS Health for DNS Health DNS Health
INFORMATIONAL

for DNS Health
No issues found
100 ENDPOINT SECURITY
The Endpoint Security Module tracks identification points that are extracted from metadata related to the operating system, web
browser, and related active plugins. The information gathered allows companies to identify outdated versions of these data points
which can lead to client-side exploitation attacks.
for Endpoint Security Issues for Endpoint Security for Endpoint Security Endpoint Security
INFORMATIONAL

for Endpoint Security
No issues found
100 HACKER CHATTER
The SecurityScorecard Hacker Chatter module is an automated collection and aggregation system for the analysis of multiple
streams of underground hacker chatter. Forums, IRC, social networks, and other public repositories of hacker community discussions
are continuously monitored, collected and aggregated in order to locate mentions of business names and websites. The Hacker
Chatter score is an informational indicator ranking that is ranked based on the quantity of indicators that appear within the collection
sensors.
for Hacker Chatter Issues for Hacker Chatter for Hacker Chatter Hacker Chatter
INFORMATIONAL

for Hacker Chatter
No issues found
100 IP REPUTATION
The IP Reputation and Malware Exposure module makes use of the SecurityScorecard sinkhole infrastructure as well as a blend of
OSINT malware feeds, and third party threat intelligence data sharing partnerships. The SecurityScorecard sinkhole system ingests
millions of malware signals from commandeered Command and Control (C2) infrastructures globally from all over the world. The
incoming data is processed and attributed to corporate enterprises. The quantity and duration of malware infections are used as the
determining factor for calculating is module the Malware Exposure Key Threat Indicator.
There are no High Severity Issues There are no Medium Severity There are no Low Severity Issues There are no Positive Signals for IP
for IP Reputation Issues for IP Reputation for IP Reputation Reputation
INFORMATIONAL

for IP Reputation
No issues found
100 INFORMATION LEAK
This Information Leak module makes use of chatter monitoring and deep web monitoring capabilities to identify compromised
credentials being circulated by hackers. These come in the form of bulk data breaches announced publicly as well as smaller
breaches, and smaller exchanges between hackers
for Information Leak Issues for Information Leak for Information Leak Information Leak
INFORMATIONAL

for Information Leak
No issues found
92 NETWORK SECURITY
The Network Security module checks public datasets for evidence of high risk or insecure open ports within the company network.
Insecure ports can often be exploited to allow an attacker to circumvent the login process or obtain elevated access to the system. If
misconfigured, the open port can act as the entry point between a hacker's workstation and your internal network
SSL/TLS Service Supports 1 There are no Medium Severity There are no Low Severity Issues There are no Positive Signals for
Weak Protocol Issues for Network Security for Network Security Network Security
INFORMATIONAL

for Network Security
SSL/TLS Service Supports Weak Protocol -0.8 SCORE IMPACT

A TLS service was observed supporting weak protocols.
Transport Layer Security (TLS), the successor to Secure Socket Disable the protocols listed in the evidence column of the
Layer (SSL), is a network protocol that encrypt communications measurement.
between TLS servers (e.g., websites) and TLS clients (e.g., web
browsers). Every communication is secured by a cipher suite: a
combination of several algorithms working in concert.
Networking protocols do not have a defined lifetime, but
academics, researchers, and nation states are constantly
evaluating them for weaknesses. Consensus on which
protocols are untrustworthy evolves over time, and if
communications are sent with a weak protocol then that
communication can be altered or decrypted.
1 finding
TARGET PORT OBSERVATIONS LAST OBSERVED
track.securityscorecard.io 443 1591 Date and time
85 PATCHING CADENCE
The Patching Cadence module analyzes how quickly a company reacts to vulnerabilities to measure patching practices. We look at
the rate at which it takes a company to remediate and apply patches compared to peers.
High Severity CVEs Patching 2 Medium Severity CVEs 2 There are no Low Severity Issues There are no Positive Signals for
Cadence Patching Cadence for Patching Cadence Patching Cadence
High-Severity Vulnerability in 2 Medium-Severity Vulnerability 2
Last Observation in Last Observation
INFORMATIONAL

for Patching Cadence
High Severity CVEs Patching Cadence -0.4 SCORE IMPACT

High severity vulnerability seen on network more than 45 days after CVE was published.
Based on scan data, the company had high severity CVE Monitor CVE lists and vulnerability repositories for exploit code
vulnerability that was open longer than 45 days after the CVE that may affect your infrastructure. Subscribe to the National
was published. High severity CVEs are those with a Vulnerability Database (NVD) RSS or other feeds to be alerted to
documented CVSS severity over 7.0. It is best practice in new exploits and vulnerabilities as they are released. Maintain a
standards such as PCI DSS to mitigate or patch high severity regular updating schedule for all software and hardware in use
vulnerabilities within 45 days. Details on each vulnerability are within your enterprise, ensuring that all the latest patches are
listed in the table below. implemented as they are released.
2 findings
VULNERABILITY IP ADDRESS PORT LAST OBSERVED OPEN VULNERABILITY PUBLISH
DATE
CVE-2018-16844 3.219.80.31 443

Vulnerability Description : nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue
affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configurat on file.
CVE-2018-16843 3.219.80.31 443
Vulnerability Description : nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption.
This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Medium Severity CVEs Patching Cadence <-0.1 SCORE IMPACT

Medium severity vulnerability seen on network more than 90 days after CVE was published.
Based on scan data, the company had medium severity CVE Monitor CVE lists and vulnerability repositories for exploit code
vulnerability that was open longer than 90 days after the CVE that may affect your infrastructure. Subscribe to the National
was published. Medium severity CVEs are those with a Vulnerability Database (NVD) RSS or other feeds to be alerted to
documented CVSS severity between 4.0 and 6.9. It is best new exploits and vulnerabilities as they are released. Maintain a
practice to mitigate or patch medium severity vulnerabilities regular updating schedule for all software and hardware in use
within 90 days. Details on each vulnerability are listed in the within your enterprise, ensuring that all the latest patches are
table below. implemented as they are released.
2 findings
VULNERABILITY IP ADDRESS PORT LAST OBSERVED OPEN VULNERABILITY PUBLISH
DATE
CVE-2018-16845 3.219.80.31 443

Vulnerability Description : nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a
worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if
it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible
if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
CVE-2019-20372 3.219.80.31 443
Vulnerability Description : NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to
read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
High-Severity Vulnerability in Last Observation -0.4 SCORE IMPACT

We observed a high-severity vulnerability during our last scan, which may still be publicly exposed.
Common vulnerabilities and exposures (CVE) is a list of Update or patch affected software and hardware. Enable
publicly-known vulnerabilities in software and hardware. Each automatic updates if available from your software vendor and
CVE contains an ID, a description of the vulnerability, and the permitted in your environment. Monitor CVE lists and vulnerability
product names and versions which are affected by the repositories for exploit code that may affect your infrastructure.
vulnerability. Subscribe to the Bugtraq mailing list to be alerted to new exploits
Software and hardware frequently self-report their product and vulnerabilities as they are released. Maintain a regular update
name and version when hosts connect to them. By searching schedule for all software and hardware in use within your
through the CVE list and cross-referencing the names and organization, ensuring that all the latest patches are applied soon
versions of products found on this company's network, we are after they are released.
able to infer the presence of vulnerabilities.
2 findings
VULNERABILITY IP ADDRESS PORT CVE PUBLISH DATE LAST OBSERVED
CVE-2018-16844 3.219.80.31 443

Vulnerability Description : nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue
affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
CVE-2018-16843 3.219.80.31 443
Vulnerability Description : nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption.
This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Medium-Severity Vulnerability in Last Observation -0.1 SCORE IMPACT

We observed a medium-severity vulnerability during our last scan, which may still be publicly exposed.
Common vulnerabilities and exposures (CVE) is a list of Update or patch affected software and hardware. Enable
publicly-known vulnerabilities in software and hardware. Each automatic updates if available from your software vendor and
CVE contains an ID, a description of the vulnerability, and the permitted in your environment. Monitor CVE lists and vulnerability
product names and versions which are affected by the repositories for exploit code that may affect your infrastructure.
vulnerability. Subscribe to the Bugtraq mailing list to be alerted to new exploits
Software and hardware frequently self-report their product and vulnerabilities as they are released. Maintain a regular update
name and version when hosts connect to them. By searching schedule for all software and hardware in use within your
through the CVE list and cross-referencing the names and organization, ensuring that all the latest patches are applied soon
versions of products found on this company's network, we are after they are released.
able to infer the presence of vulnerabilities.
2 findings
CVE-2018-16845 3.219.80.31 443

Vulnerability Description : nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a
worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if
it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible
if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
CVE-2019-20372 3.219.80.31 443

Vulnerability Description : NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to
read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
100 SOCIAL ENGINEERING
The SecurityScorecard Social Engineering Module is used to determine the potential susceptibility of an organization to a targeted
social engineering attack. The Social Engineering module ingests data from social networks and public data breaches, and blends
proprietary analysis methods. The Social Engineering Score is an informational indicator calculated based on the quantity of
indicators that appear in SecurityScorecard collection sensors.
for Social Engineering Issues for Social Engineering for Social Engineering Social Engineering
INFORMATIONAL

for Social Engineering
No issues found
No content (including ratings, data, reports, software or other application or output therefrom) or any part thereof (collectively,
Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or
retrieval system without the prior written permission of SecurityScorecard, Inc. (SSC) The Content shall not be used for any unlawful
or unauthorized purposes.
SSC and any third-parties, and their directors, officers, shareholders, employees, customers and agents (collectively SSC Parties) do
not guarantee or warrant the accuracy, completeness, timeliness or availability of the Content. SSC Parties are not responsible for
any errors or omissions (negligent or otherwise), regardless of the cause, or for the results obtained from the use of the Content. The
Content is provided on an "as is" basis. SSC PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, (1) ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, (2) ACCURACY,
RESULTS, TIMELINESS AND COMPLETENESS,(3) FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS (4) THAT THE
CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED AND (5) THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR
HARDWARE CONFIGURATION. In no event shall SSC Parties be liable to any party for any direct, indirect, incidental, exemplary,
compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost
income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if
advised of the possibility of such damages.
USERS OF THE CONTENT MUST USE ALL REASONABLE ENDEAVORS TO MITIGATE ANY LOSS OR DAMAGE WHATSOEVER (AND
HOWSOEVER ARISING) AND NOTHING HEREIN SHALL BE DEEMED TO RELIEVE OR ABROGATE USERS OF ANY SUCH DUTY TO
MITIGATE ANY LOSS OR DAMAGE.
IN ANY EVENT, TO THE EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF THE SSC PARTIES FOR ANY REASON
WHATSOEVER RELATED TO ACCESS TO OR USE OF CONTENT SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL AMOUNT PAID
TO SSC BY THE USER FOR SERVICES PROVIDED DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO
LIABILITY, AND (B) U.S. $100.
Security-related analyses, including ratings and statements in the Content, are statements of opinion of relative future security risks
of entities as of the date they are expressed, and not statements of current or historical fact as to safety of transacting with any entity,
recommendations regarding decision to do business with any entity, endorsements of the accuracy of any of the data or conclusions
or attempts to independently assess or vouch for the security measures of any entity. SSC’s opinions, analyses and ratings should not
be relied on as a substitute for the skill, judgment and experience of the user and its management, employees, advisors and clients
when making business decisions. SSC assumes no obligation to update the Content following publication in any form or format.
While SSC has obtained information from sources it believes to be reliable, SSC does not perform an audit and undertakes no duty of
due diligence or independent verification of any information it receives. Users expressly agree that (a) the security ratings and other
security opinions provided via the Content do not reflect, identify or detect every vulnerability or security issue or address any other
risk; (b) the security ratings and other opinions provided do not take into account users’ particular objectives, situations or needs; (c)
each rating or other opinion will be weighed, if at all, solely as one factor in any decision made by or on behalf of any user; and (d)
users will accordingly, with due care, make their own study and evaluation of the risks of doing business with any entity. If a user
identifies any in the Content, we invite you to share that information with us by emailing us at support@securityscorecard.io. ©2022
SecurityScorecard, Inc. All rights reserved.

SSC Detailed Report

Uploaded by

Copyright:

Available Formats

SSC Detailed Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSC Detailed Report

Uploaded by

Copyright:

Available Formats

Detailed Report of securityscorecard.

com - Prepared on 7/20/22 | of

Get the full picture with SecurityScorecard

Learn more about SecurityScorecard at bit.ly/2xXNg4N today.

Learn more about SecurityScorecard’s rating system at bit.ly/2zMLSmW.

Next Steps: This company has an A as of Set a plan to

2. Validate your Digital Footprint

3. Review issue findings

4. Spot new issues, maintain your A

94 Security Score INDUSTRY: TECHNOLOGY

83 APPLICATION SECURITY 5 ISSUES 100 IP REPUTATION 0 ISSUES

100 CUBIT SCORE 0 ISSUES 100 INFORMATION LEAK 0 ISSUES

100 DNS HEALTH 0 ISSUES 92 NETWORK SECURITY 1 ISSUE

100 ENDPOINT SECURITY 0 ISSUES 85 PATCHING CADENCE 4 ISSUES

100 HACKER CHATTER 0 ISSUES 100 SOCIAL ENGINEERING 0 ISSUES

30-Day Score History

-0.4 High-Severity Vulnerability in Last Observation. We observed a high-severity

-0.1 Medium-Severity Vulnerability in Last Observation. We observed a medium-severity

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

Content Security Policy (CSP) Missing -0.9 SCORE IMPACT

securityscorecard.io https 1991 Date and time URL

securityscorecard.com https 226 Date and time URL

Content Security Policy Contains Broad Directives -1.1 SCORE IMPACT

securityscorecard.io https 74942 Date and time URL

no_hsts securityscorecard.io https 47503 Date and time URL

hsts_missing_subdomain securityscorecard.io https 1967 Date and time URL

hsts_age_too_short securityscorecard.com https 4118 Date and time URL

Website does not implement X-Content-Type-Options Best -0.4 SCORE IMPACT

Public comment on issue

x_content_type_options_m securityscorecard.io https 48021 Date and time URL

x_content_type_options_m securityscorecard.io https 14423 Date and time URL

x_content_type_options_m securityscorecard.io https 1991 Date and time URL

x_frame_options_missing securityscorecard.io https 48026 Date and time URL

x_frame_options_missing securityscorecard.io https 14423 Date and time URL

x_frame_options_missing securityscorecard.io https 1991 Date and time URL

x_frame_options_missing securityscorecard.com https 4151 Date and time URL

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

SSL/TLS Service Supports Weak Protocol -0.8 SCORE IMPACT

track.securityscorecard.io 443 1591 Date and time

HIGH SEVERITY MEDIUM SEVERITY LOW SEVERITY POSITIVE

There are no Informational Signals

High Severity CVEs Patching Cadence -0.4 SCORE IMPACT

CVE-2018-16844 3.219.80.31 443

Medium Severity CVEs Patching Cadence <-0.1 SCORE IMPACT

CVE-2018-16845 3.219.80.31 443

High-Severity Vulnerability in Last Observation -0.4 SCORE IMPACT

CVE-2018-16844 3.219.80.31 443