Security policy for our Prestashop modules

🚨 Reporting Vulnerabilities

The security of our modules and our customers is of paramount importance.

Therefore, we encourage security researchers to analyze our modules and report any vulnerabilities found to us in accordance with good responsible disclosure practices.

We are committed to identifying and correcting any vulnerabilities and communicating transparently with our stakeholders throughout the process.

If you think you have discovered a vulnerability in one of our modules, you can report it to us in a responsible manner at support@ndk-design.fr.

We invite you to provide as many details as possible (description, impact, relevant version, reproduction stage).

Please note that non-reproducible findings or findings not directly related to our modules will be ignored.

📜 Our Vulnerability Management Policy

In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team is guided by the following principles:

  • Acknowledgement of receipt of any relevant report (CVSS ≥ 4.0) within a maximum of 7 days.
  • Perform impact analysis and patch planning within a maximum of 30 days.
  • Security bulletins with CVEs are issued if the CVSS score is ≥ 7.5.
  • Corrections will not be issued silently .

At the same time, we make the following commitments to ensure that vulnerabilities are managed responsibly and ethically:

  • not to prosecute researchers acting in good faith, especially those in the YesWeHack program managed by TouchWeb SAS.
  • Ensure that no non-disclosure agreement, including white label agreements, prevents the transparent release of security bulletins with CVE identifiers based on the latest technology.

We are aware that this transparency is essential for relevant third parties (organizations, merchants, etc.) to meet their compliance obligations, especially within

the framework of

the PCI-DSS standard or its lighter version (e.g. SAQ-A)

.

🛡️ PUBLICATION AUTHORIZATION

We expressly authorize TouchWeb SAS, in accordance with its commitment to the Charter for Responsible Cybersecurity, to publish on its official website information related to the vulnerabilities that have been corrected in our modules.

The publication includes:

  • the CVE identifier associated with the vulnerability.
  • A security note that clearly describes the problem and its solution.
  • Affected and corrected versions.
  • Easy-to-deploy patches when updates are not available.
  • All the information users and organizations need to protect themselves quickly.

media_pages_cybersecurity-prestashop_badge_tw_responsible-cybersecurity-charter.png