> Politique de Sécurité

Security Policy

 

Badge de certification Cybersécurité Responsable

Reporting a Vulnerability

The security of our modules and the websites we develop for our customers is paramount. That is why we encourage security researchers to conduct analyses on our modules and report any vulnerabilities they identify to us, in accordance with responsible disclosure practices.

If you believe you have discovered a vulnerability in one of our modules, you can report it to us responsibly at: security@presta-module.com

Please provide as much detail as possible in your report:

Essential information to include

→ Detailed description: Clearly explain the nature of the vulnerability identified
→ Impact assessment: Describe the potential consequences for users or sites
→ Affected versions: Specify the versions of the module affected by the vulnerability
→ Reproduction steps: Provide a step-by-step guide to reproduce the problem
→ Proof of concept: If possible, include relevant screenshots or code snippets

Please note that findings that cannot be reproduced or are not directly related to our modules will be ignored.

We are committed to identifying and correcting any vulnerabilities and communicating transparently with the parties concerned throughout the process.

 

Our Vulnerability Management Policy

In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:

  • Acknowledgment of all relevant reports within a maximum of 7 days. (CVSS ≥ 7.5)
  • Impact analysis and planning of a fix within a maximum of 30 days.
  • Publication of a security advisory with CVE if the CVSS score is ≥ 7.5.
  • No fixes will be released silently.

In parallel, we make the following commitments to ensure responsible and ethical vulnerability management:

  • We will not pursue researchers acting in good faith, particularly in the context of the YesWeHack program managed by TouchWeb SAS.
  • We guarantee that no confidentiality agreement, including white label agreements, will prevent the transparent publication of a security advisory with a CVE identifier, in accordance with the state of the art.

We are well aware that this transparency is essential to enable relevant third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly under the PCI-DSS standard or one of its simplified versions, such as SAQ-A.

 

Authorization for Publication

We expressly authorize TouchWeb SAS to publish information about the vulnerabilities fixed in our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.

This publication includes:

  • A CVE identifier associated with the vulnerability.
  • A security note clearly describing the problem and its resolution.
  • The affected versions and the corrected version.
  • An easy-to-deploy fix when updating is not possible.
  • Any useful information to enable users and agencies to protect themselves quickly.

We are well aware that this transparency is essential to enable affected third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly under the PCI-DSS standard or one of its simplified versions, such as SAQ-A.

 

Publications

No publications to date.