Security policy for our Prestashop modules
Last amended 30/05/2025
Reporting a vulnerability
The security of our Prestashop modules and our customers or users in the case of free modules is essential. We therefore encourage security researchers to conduct analyses on our modules and to report any identified vulnerabilities to us, in accordance with good responsible disclosure practices.
We commit ourselves to identifying and redressing any vulnerabilities, and to communicating transparently with the parties concerned throughout the process.
If you think you have discovered a vulnerability in one of our modules, you can report it to us responsibly via the contact form section 5 - Security. In order to identify and be able to correct vulnerability as soon as possible, please specify:
- Name of module
- Version of the module
- Configuration of the module (screening screenshot if possible)
- Version of Prestashop
- Type of vulnerability (XSS, SQL Injection, CSRF, ECR, etc.)
- Precise steps to reproduce the feat ::
- Step-by-step instructions
- Code (script, SQL, js...)
- Screenshots or videos if possible
- Impact (backoffice access, data theft, unauthorized access, elevation of privileges, etc.).
- Environment ::
- PHP version
- Web server (Apache, Nginx, etc.)
- Operating system (Mac OS, Linux, Windows, etc.).
We also inform you that discoveries that not reproducible or not directly related to our modules will be ignored.
Our vulnerability management policy
In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:
- Acknowledgement of receipt of any relevant reporting within up to 7 days, CVSS 7.0
- Impact assessment and correction planning within 30 days maximum
- Issuance of a safety notice with CVE if the CVSS score is 7.5 euros
- No correction will be published silently.
At the same time, we are making the following commitments to ensure responsible and ethical management of vulnerabilities:
- Do not prosecute researchers acting in good faith, in particular under the YesWeHack programme managed by TouchWeb SAS
- Ensure that no confidentiality agreement, including white label, can hinder the transparent publication of a security notice with a CVE identifier, in accordance with the state of the art
We are well aware that this transparency is essential to enable the third parties concerned (agencies, merchants, etc.) to meet their compliance obligations, in particular under the PCI-DSS standard or one of its streamlined versions, such as SAQ-A.
Authorization for publication
We expressly allow TouchWeb SAS to publish information on the corrected vulnerabilities of our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.
The publication includes:
- A CVE identifier associated with the vulnerability
- A safety note clearly describing the problem and its resolution
- The versions concerned and the corrected version
- An easy-to-deploy patch when updating is not possible
- Any useful information to enable users and agencies to protect themselves quickly
Prevention
As it is inherently very difficult to identify security flaws without specific expertise and code analysis tools. The agency offers a free open source , which takes very few resources and alerts you by email if you modify or create a file on your site. By running it every 5 minutes, for example, it makes it possible to be alerted in case of intrusion and to be able to analyze the logs of the web server in order to identify where the flaw can come from.
Publications
Below is a list of known and corrected security vulnerabilities:
Date | Module | Version | CWE | CVSS | CVE | |
---|---|---|---|---|---|---|
Impact | Corrected | |||||