Security Policy
Obviously, PrestaShop project security is a critical matter. Project members are dedicated to keeping a high level of security in every aspect of the software.
However a software without vulnerability does not exist, which is why there is a security report process. If you find a security issue, please follow it to responsibly disclose your findings.
Reporting a Vulnerability
Security issues can be reported by sending an email to [email protected] or through our Bug Bounty Program, which will go to security team members.
When the security team receives a security bug report, the report will be assigned to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions.
- Audit the code to find any potential similar problems.
- Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.
The security team will follow up with a response indicating the next steps in handling the report.
If the issue is confirmed, the security team will keep you informed of the progress towards a fix, and full announcement, and may ask for additional information or guidance.
Disclosure Policy
In general, public disclosure are made after the issue has been fully identified and a patch is ready to be released.