Security

Reporting a Vulnerability

  • The security of our modules and our clients is paramount. That’s why we encourage security researchers to analyze our modules and report any identified vulnerabilities to us, in line with responsible disclosure best practices.
  • We are committed to identifying and fixing any vulnerability, and to communicating transparently with all relevant parties throughout the process.
  • If you believe you have discovered a vulnerability in one of our modules, you may report it responsibly via our contact form
  • Please provide as much detail as possible (description, impact, affected version, reproduction steps).
  • We inform you that non-reproducible reports or those unrelated to our modules will be ignored.

Our Vulnerability Management Policy
In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:

  • Acknowledgement of any relevant report within 7 days maximum. (CVSS ≥ 4.0 – Scoring at your discretion with a maximum of 7.5)
  • Impact analysis and fix planning within 30 days maximum.
  • Publication of a security advisory with a CVE ID if the CVSS score is ≥ 7.5. (Scoring at your discretion with a maximum of 7.5)
  • No fix will ever be released silently.

In parallel, we make the following commitments to ensure responsible and ethical vulnerability handling:

  • We will not take legal action against researchers acting in good faith, particularly within the scope of the YesWeHack program managed by TouchWeb SAS.
  • We guarantee that no confidentiality agreement, including in white-label contexts, will prevent the transparent publication of a security advisory with a CVE ID, in line with industry best practices.

We are fully aware that this transparency is essential to enable the relevant third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly within the framework of the PCI-DSS standard or one of its simplified versions, such as SAQ-A.

Publication Authorization
We expressly authorize the company TouchWeb SAS to publish information related to patched vulnerabilities in our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.
This publication may include:

  • A CVE identifier associated with the vulnerability.
  • A security notice clearly describing the issue and its resolution.
  • The affected versions and the version containing the fix.
  • An easy-to-apply patch where updates are difficult to implement.
  • Any useful information to help users and agencies protect themselves quickly.