Security release process

Here is a short summary of the steps followed by the security team:

  1. Security issues are reported to [email protected] or through the Bug Bounty Program.

  2. Security issues are assessed to identify their criticality level.

  • Minor issues are scoped to be fixed in the next scheduled minor release
  • Critical issues are scoped to be fixed as soon as possible

  1. For both minor and critical issues, a GitHub Security Advisory will be created to register the issue in GitHub’s CVE database.

  2. A Private Security Fork is used to prepare a patch Pull Request for the advisory. The Pull Request is then reviewed and tested by QA.

  3. When all patch Pull Requests are ready (in the event that multiple issues are reported), they are all merged, and a new patch release is built and delivered. Security Advisories are published, and the vulnerabilities are disclosed in a Release Note, urging all PrestaShop users to upgrade in order to protect their shops.

Security release workflow