Security Policy

Obviously, PrestaShop project security is a critical matter. Project members are dedicated to keeping a high level of security in every aspect of the software.

However a software without vulnerability does not exist, which is why there is a security report process. If you find a security issue, please follow it to responsibly disclose your findings.

Reporting a Vulnerability

Security issues can be reported by sending an email to [email protected] or through our Bug Bounty Program, which will go to security team members.

When the security team receives a security bug report, the report will be assigned to a primary handler. This person will coordinate the fix and release process, involving the following steps:

  • Confirm the problem and determine the affected versions.
  • Audit the code to find any potential similar problems.
  • Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.

The security team will follow up with a response indicating the next steps in handling the report.

If the issue is confirmed, the security team will keep you informed of the progress towards a fix, and full announcement, and may ask for additional information or guidance.

Disclosure Policy

In general, public disclosure are made after the issue has been fully identified and a patch is ready to be released.