OXID eSales is an Open Source software vendor and naturally takes security issues serious. Here, you will find information on how to report security-related issues to us and how we process such issues.
Reporting a security issue
If you discovered a security issue in one of our products or services, please get in touch with us immediately. Our policy is to limit public knowledge about a security issue until we provide a fix for it.
This is the process:
- Please send an email to [email protected]
- We will confirm that the email or bug report has been received by OXID eSales.
- OXID will provide you with information on our progress in verifying and fixing the vulnerability, and the estimated date at which a security fix or new release will be available.
OXID is happy to arrange an embargo date with you, at which you can issue a security bulletin, so you – apart from us – will be the first to report it to the general public. OXID generally treats all reports confidential and anonymous, but we will happily credit you in our security bulletin as the one who discovered the vulnerability if you want to.
Why do we ask you to inform us beforehand and to arrange an embargo date? Isn’t that in contrast to the concept of openly communicating? No. It helps everyone running a shop if the vulnerability is not known to the general public until it has been fixed. Otherwise shop owners are at risk of being exposed to publicly known vulnerabilities that have not been fixed yet.
For any questions about the process of reporting a security issue, please do not hesitate to ask on [email protected].
When we release new security advisories, we only check if supported versions are affected. Currently supported versions are:
Older, unsupported versions may or may not have the same security vulnerabilities. Security fixes or any bug fixes for older versions are not provided by OXID eSales. We urge users of older versions to upgrade their OXID eShop installations.
Modules and extensions
If you determined a security issue in one of our extensions, please drop us a note via [email protected].
If you determined a security issue in a third party extension, please try to catch up with the developer of this extension first. In case you can’t find the author, you don’t receive an answer or similar issues please feel free to contact us as well.
Getting informed via Security Bulletins
OXID eSales will publish the bulletin to the OXIDforge wiki within the Security Bulletins category and will also inform the community via Slack and the Announcement forum. We will also inform relevant security mailing lists about the bulletin to inform other vendors and Linux distributors.
As soon as the issue has been verified and fixed by our engineers, we will set an embargo date after which a security bulletin will be made available to the general public. This will be done either when a fix for existing releases is available, or when a new release comes out that contains the security fix. OXID will not publicly announce security vulnerabilities that haven’t been fixed in stable releases yet.
A few close OXID partners will receive a notification of the upcoming bulletin approximately 48-96 hours before it is made available to the general public.