Security Policy

Responsible Cybersecurity Certification Badge

Vulnerability Reporting

The security of our modules and the websites we develop for our clients is paramount. This is why we encourage security researchers to conduct analyses on our modules and report any identified vulnerabilities to us, in accordance with responsible disclosure best practices.

If you believe you have discovered a vulnerability in one of our modules, you can report it responsibly via email at: security@businesstech.fr

We invite you to provide as much detail as possible in your report:

Essential Information to Include

  • Detailed description: Clearly explain the nature of the identified vulnerability
  • Impact assessment: Describe the potential consequences for users or websites
  • Affected versions: Specify which module versions are affected by the vulnerability
  • Reproduction steps: Provide a step-by-step guide to reproduce the issue
  • Proof of concept: If possible, include relevant screenshots or code snippets

Please note that findings that are not reproducible or not directly related to our modules will be disregarded.

We are committed to identifying and fixing any vulnerability, and to communicating transparently with all concerned parties throughout the process.

Our Vulnerability Management Policy

In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:

  • Acknowledgment of any relevant report within a maximum of 7 days. (CVSS ≥ 7.5)
  • Impact analysis and patch planning within a maximum of 30 days.
  • Publication of a security advisory with CVE if the CVSS score is ≥ 7.5.
  • No fix will be published silently.

In parallel, we make the following commitments to ensure responsible and ethical management of vulnerabilities:

  • Not to pursue researchers acting in good faith, particularly within the framework of the YesWeHack program managed by TouchWeb SAS.
  • To ensure that no confidentiality agreement, including white-label agreements, can hinder the transparent publication of a security advisory with a CVE identifier, in accordance with industry best practices.

We are fully aware that this transparency is essential to enable concerned third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly in the context of the PCI-DSS standard or one of its lighter versions, such as SAQ-A.

Publication Authorization

We expressly authorize TouchWeb SAS to publish information regarding fixed vulnerabilities in our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.

This publication includes:

  • A CVE identifier associated with the vulnerability.
  • A security note clearly describing the problem and its resolution.
  • The affected versions and the fixed version.
  • An easy-to-deploy patch when updating is not possible.
  • Any useful information allowing users and agencies to protect themselves quickly.

We are fully aware that this transparency is essential to enable concerned third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly in the context of the PCI-DSS standard or one of its lighter versions, such as SAQ-A.

Publications

No publications to date.