Responsible Cybersecurity Charter

---

🌍 For a safer and more responsible PrestaShop ecosystem

PrestaShop vulnerabilities are a natural part of a software's lifecycle. Acknowledging, fixing, and publishing them responsibly is a sign of professionalism and an ethical commitment to merchants, agencies, and the entire PrestaShop community.

This charter is offered to module developers who wish to engage in a transparent and trustworthy approach.

This charter follows up on the announcements made during the Dev PrestaShop Conference 2024, which was the subject of an article on the official PrestaShop blog.

Only developers who sell on the PrestaShop Marketplace and adhere to this charter will be eligible-due to legal constraints (in particular, the reciprocity of the non-aggression clause required by YesWeHack)-for our Bug Bounty program launched on YesWeHack, in partnership with PrestaShop SA.

This initiative, entirely free of charge, is offered by TouchWeb in the spirit of responsible contribution to the PrestaShop ecosystem. There is no fee required to join the charter, use the badge, or be listed among the members.

---

🎯 Charter Objectives

• Encourage the responsible disclosure of patched vulnerabilities.
• Standardize security best practices within the PrestaShop ecosystem.
• Foster long-term trust between module developers, merchants, and security professionals.

🔐 PCI DSS Compliance: A Key Issue for All Merchants

All merchants accepting online payments must comply with the PCI DSS security standard. (Payment Card Industry Data Security Standard), or one of its simplified versions - at a minimum, SAQ-A - when using a payment service provider via redirection or iframe (e.g., PayPal, Stripe, PayPlug, etc.).

Section 6.2 of the standard requires the prompt application of security patches for all identified vulnerabilities, including those found in PrestaShop modules used by the merchant. This requirement implies:

• That vendors publicly disclose patched vulnerabilities with at least basic technical details
• That this information can be processed by VMS (Vulnerability Management Systems), allowing merchants, agencies, or managed service providers to identify and prioritize patches to apply

The charter also aims to enable e-commerce professionals to fulfill their contractual obligations with their banks or payment service providers.

📜 Member Commitments

By joining this charter, you commit to:

1. 🔍 Acknowledge that vulnerabilities exist

No software is flawless. A discovered, fixed, and responsibly published vulnerability is a sign of a serious publisher - not a failure.

2. 💬 Follow responsible disclosure practices

You commit to responding respectfully and constructively to anyone reporting a vulnerability with a CVSS score, validated by TouchWeb, ≥ 7.5 (or ≥ 4.0 if possible), avoiding denial or legal threats.

An initial response must be provided within 7 calendar days to acknowledge receipt and begin handling the report.

A patch must be delivered within 30 calendar days and officially published within 3 to 12 months depending on ecosystem update complexity and severity.

3. 📝 Responsibly publish every fixed vulnerability

You agree to clearly document each security fix with a CVSS score ≥ 7.5 (or ≥ 4.0 if possible), including:

• The range of affected versions
• A clear description of the vulnerability and its impact
• When possible, a minimal standalone patch for integrators
• A CVE ID and a corresponding security advisory

A significant number of merchants are unfamiliar with the concept of MCS (Security Maintenance). As a result, we regularly observe questionable practices regarding module updates, even when critical vulnerabilities have been patched.

From a legal standpoint, as module developers, you are protected by the copyleft inherited from PrestaShop's license. However, this is not the case for agencies and managed service providers, who fully assume legal responsibility for the RMP (Risk Mitigation Plan) within client environments (TMA, managed services).

This is why we ask you, out of professional solidarity, to provide a fix in the form of a simple and quick patch whenever a security issue is addressed. A full module update will, in many cases, be rejected by the client - out of caution, budget limitations, or lack of understanding. A focused patch allows timely and efficient action.

TouchWeb can help: we are also PHP developers and can assist you in writing a minimal, stable and deployable fix, ensuring your response meets both the technical and ethical expectations.

4. 🚫 Never silently fix a vulnerability

Users must be informed of every fix without barriers or opacity.

White-label module providers must contractually require their clients to publish corrected vulnerabilities through a security advisory with a CVE ID. Transparency cannot be waived for commercial confidentiality.

Transparency regarding security must never be hindered by confidentiality clauses.

In case of uncertainty about impact, TouchWeb commits to assisting with CVSS impact analysis.

5. 📦 Provide modules upon request

You authorize TouchWeb's DevSecOps team to request a full copy of one or more of your modules at any time as part of a preventive or corrective security process.

This request is subject to the confidentiality of analysis unless a CVSS score ≥ 7.5 vulnerability is identified.

6. 🛡️Public Security Policy Requirement

Module developers commit to maintaining a publicly accessible page (referred to as their “security page”), which will be referenced on this page by TouchWeb.

This page, indexable by search engines (Google, Bing, etc.), must reflect their cybersecurity posture and explicitly include the following commitments:

• Define a clear procedure for responsible vulnerability reporting.
• Commit to a documented, transparent, and accessible vulnerability management policy.
• Ensure no legal action is taken against good-faith researchers or contributors acting under responsible disclosure, including via YesWeHack (reciprocity of non-prosecution clause).
• Publish a security advisory with a CVE ID for CVSS scores validated by TouchWeb ≥ 7.5 (or ≥ 4.0 if politically feasible).
• Formally authorize TouchWeb SAS to list vulnerabilities on https://www.touchweb.fr
• Display a link to this charter with the TouchWeb reassurance badge.

This fosters trust with security researchers, agencies, and end-users through proactive transparency.

---

🧾 How to become a member?

Joining the charter is completely free and open. No form, signature, or prior registration is required.

Prerequisite: you must be a PrestaShop module developer, distributing your modules via the PrestaShop Marketplace or your own website.

To become a member, simply:

• 🛡️ Publish a public security page on your website, in line with the commitments described in the charter
• 🔗 Include a link to the official TouchWeb charter on this page, to allow verification of the commitment and help raise awareness of the initiative.
• 📧 Notify us of this page (by email or using the contact form below)

Once your page has been verified, you will be added to the list of committed developers.

No contractual validation is required: publishing the page is considered as your commitment. Transparency is what matters.

You can find an example here: Example of a security policy page

---

🛠️ What TouchWeb Offers

As a member, you are not alone. TouchWeb supports you in making this approach possible and beneficial:

✅ CVSS Scoring Assistance

TouchWeb helps you define an objective CVSS (Common Vulnerability Scoring System) score based on standardized criteria: access vector, complexity, privileges, impact, etc.

✅ CVE Publication Support

TouchWeb supports you step by step in drafting a security advisory and requesting a CVE identifier, ensuring responsible disclosure that benefits the community.

✅ Positive Visibility

Charter members will be able to:

• Display a "Responsible Cybersecurity" badge on their modules
• Be listed on this page, showcasing their commitment to merchants and integrators
• Gain exposure through our partner and client network

©️ Use of the "Responsible Cybersecurity" Badge

Use of the "Responsible Cybersecurity" badge (image above) is strictly regulated. This badge is a sign of ethical commitment to securing PrestaShop modules and ensuring transparency in development practices.

Any use of this badge on a web page must include a clickable link directly on the image, pointing to the official page of the Responsible Cybersecurity Charter.

This link allows agencies and merchants to verify the legitimacy of the developer's commitment and to review the detailed principles they adhere to. Failure to include this link constitutes a breach of the badge usage terms and may result in revocation of authorization to use it.

This badge is strictly reserved for developers who have officially signed the charter and are listed on the reference page.

📣 Contribution to Cybersecurity Evangelization

We rely on the members to actively promote this initiative.

• Promote the badge: By showcasing the badge on their communication materials (product pages, documentation, websites, etc.), members help raise awareness among merchants, integrators, and service providers about the importance of cybersecurity.
• Contribute to a safer ecosystem: This collective action aims to improve the quality and security standards of the PrestaShop ecosystem by strengthening user trust and highlighting committed actors.
• Become a cybersecurity ambassador: Each member thus becomes a key player in the professionalization and security of PrestaShop, benefiting the entire community.

---

🤝 Committed publishers

The following publishers have officially endorsed the TouchWeb charter for responsible cybersecurity:

---

⏳ Publishers in the process of joining

We are currently contacting module developers. Security pages must be implemented by 05/31/2025.

Send your message