Security

OXID eSales is an Open Source software vendor and takes security issues serious.

Here, you will find information on how to report security-related issues to us and how we process such issues.

Reporting a security issue

If you discovered a security issue in one of our products or services, get in touch with us immediately.

Process

  • Send an email to security@oxid-esales.com.
  • We will confirm that the email or bug report has been received by OXID eSales.
  • We will provide you with information on our progress in verifying and fixing the vulnerability, and the estimated date at which a security fix or new release will be available.
  • OXID eSales is happy to arrange an embargo date with you, at which you can issue a security bulletin, so you – apart from us – will be the first to report it to the general public.
    OXID eSales generally treats all reports confidential and anonymous, but we will happily credit you in our security bulletin as the one who discovered the vulnerability if you want to.

For more information about how we deal with security issues, download our Security Whitepaper.

Information policy

Our policy is to limit public knowledge about a security issue until we provide a fix for it.

Why do we ask you to inform us beforehand and to arrange an embargo date?

Isn’t that in contrast to the concept of openly communicating?

No. It helps everyone running a shop if the vulnerability is not known to the general public until it has been fixed.

Otherwise, shop owners would run the risk of being exposed to publicly known but not yet fixed security vulnerabilities.

For any questions about the process of reporting a security issue, please do not hesitate to ask on security@oxid-esales.com.

Supported versions

When we release new security advisories, we only check if supported versions are affected.

Older, unsupported versions may or may not have the same security vulnerabilities.

Security fixes or any bug fixes for older versions are not provided by OXID eSales.

We urge users of older versions to upgrade their OXID eShop installations.

Modules and extensions

If you found a security issue in

  • one of our extensions, drop us a note via security@oxid-esales.com.
  • a third party extension, try to catch up with the developer of this extension first.
    In case you can’t find the author, you don’t receive an answer or similar issues, feel free to contact us as well.

Getting informed via security bulletins

OXID eSales will inform you via

  • security bulletins published to the docs.oxid-esales.com under Security
  • Slack
  • the OXID eSales-Forum under forum.oxid-esales.com
  • relevant security mailing lists, to inform other vendors and Linux distributors about the security bulletin

As soon as an issue has been verified and fixed by our engineers, we will set an embargo date after which a security bulletin will be made available to the general public.

This will be done either when a fix for existing releases is available, or when a new release comes out that contains the security fix.

OXID eSales will not publicly announce security vulnerabilities that haven’t been fixed in stable releases yet.

Close OXID eSales partners will receive a notification of the upcoming bulletin approximately 48-96 hours before it is made available to the general public.