Obviously, PrestaShop project security is a critical matter. PrestaShop teams are dedicated to keep a high level of security in every aspects of the software.
However a software without vulnerability does not exist, which is why there is a security report process. If you find a security issue, please follow it to responsibly disclose your findings.
When the security team receives a security bug report, the report will be assigned to a primary handler. This person will coordinate the fix and release process, involving the following steps:
The security team will follow up with a response indicating the next steps in handling the report.
If the issue is confirmed, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
In general, public disclosure are made after the issue has been fully identified and a patch is ready to be released.
Here is a short summary of the steps followed by the primary handler:
Security issues is assessed to identify their criticality level.
For both minor and critical issues, a GitHub Security Advisory will be created to register the issue in GitHub CVE database.
A Private Security Forks is used to prepare a patch Pull Request for the advisory. The Pull Request then reviewed and tested by QA.
When all patch Pull Requests are ready (in the event that multiple issues are reported), they are all merged and a new Patch Release is built and delivered. Security Advisories are published and the vulnerabilities are disclosed in a Release Note, urging all PrestaShop users to upgrade in order to protect their shops.
(click on it to see full size)