🌍 For a safer and more responsible PrestaShop ecosystem
PrestaShop vulnerabilities are a natural part of a software's lifecycle. Acknowledging, fixing, and publishing them responsibly is a sign of professionalism and an ethical commitment to merchants, agencies, and the entire PrestaShop community.
This charter is offered to module developers who wish to engage in a transparent and trustworthy approach.
This charter follows up on the announcements made during the Dev PrestaShop Conference 2024, which was the subject of an article on the official PrestaShop blog.
Only developers who sell on the PrestaShop Marketplace and adhere to this charter will be eligible-due to legal constraints (in particular, the reciprocity of the non-aggression clause required by YesWeHack)-for our Bug Bounty program launched on YesWeHack, in partnership with PrestaShop SA.
This initiative, entirely free of charge, is offered by TouchWeb in the spirit of responsible contribution to the PrestaShop ecosystem. There is no fee required to join the charter, use the badge, or be listed among the members.
🎯 Charter Objectives
- Encourage the responsible disclosure of patched vulnerabilities.
- Standardize security best practices within the PrestaShop ecosystem.
- Foster long-term trust between module developers, merchants, and security professionals.
🔐 PCI DSS Compliance: A Key Issue for All Merchants
All merchants accepting online payments must comply with the PCI DSS security standard. (Payment Card Industry Data Security Standard), or one of its simplified versions - at a minimum, SAQ-A - when using a payment service provider via redirection or iframe (e.g., PayPal, Stripe, PayPlug, etc.).
Section 6.2 of the standard requires the prompt application of security patches for all identified vulnerabilities, including those found in PrestaShop modules used by the merchant. This requirement implies:
- That vendors publicly disclose patched vulnerabilities with at least basic technical details
- That this information can be processed by VMS (Vulnerability Management Systems), allowing merchants, agencies, or managed service providers to identify and prioritize patches to apply
The charter also aims to enable e-commerce professionals to fulfill their contractual obligations with their banks or payment service providers.
For the more technical among you: the current tolerance granted by banks regarding SAQ compliance stems from a lack of understanding of the specificities of e-commerce CMS platforms. If module developers and integrators fail to take responsibility quickly, this tolerance could vanish - pushing many merchants from SAQ A to SAQ A-EP, which is significantly more demanding in terms of compliance. This shift will become inevitable as soon as banks realize the need to ensure the integrity of payment pages to counter modern web skimming techniques. Attacks are evolving: traditional XSS with off-site exfiltration is being replaced by RCEs involving SSRF, where exfiltration occurs on-site, rendering CSP protections ineffective. Only active security measures - such as WAF, IPS, and FIM - can effectively counter this threat today.
📜 Member Commitments
By joining this charter, you commit to:
1. 🔍 Acknowledge that vulnerabilities exist
No software is flawless. A discovered, fixed, and responsibly published vulnerability is a sign of a serious publisher - not a failure.
2. 💬 Follow responsible disclosure practices
You commit to responding respectfully and constructively to anyone reporting a vulnerability with a CVSS score, validated by TouchWeb, ≥ 7.5 (or ≥ 4.0 if possible), avoiding denial or legal threats.
An initial response must be provided within 7 calendar days to acknowledge receipt and begin handling the report.
A patch must be delivered within 30 calendar days and officially published within 3 to 12 months depending on ecosystem update complexity and severity.
3. 📝 Responsibly publish every fixed vulnerability
You agree to clearly document each security fix with a CVSS score ≥ 7.5 (or ≥ 4.0 if possible), including:
- The range of affected versions
- A clear description of the vulnerability and its impact
- When possible, a minimal standalone patch for integrators
- A CVE ID and a corresponding security advisory
A significant number of merchants are unfamiliar with the concept of MCS (Security Maintenance). As a result, we regularly observe questionable practices regarding module updates, even when critical vulnerabilities have been patched.
From a legal standpoint, as module developers, you are protected by the copyleft inherited from PrestaShop's license. However, this is not the case for agencies and managed service providers, who fully assume legal responsibility for the RMP (Risk Mitigation Plan) within client environments (TMA, managed services).
This is why we ask you, out of professional solidarity, to provide a fix in the form of a simple and quick patch whenever a security issue is addressed. A full module update will, in many cases, be rejected by the client - out of caution, budget limitations, or lack of understanding. A focused patch allows timely and efficient action.
TouchWeb can help: we are also PHP developers and can assist you in writing a minimal, stable and deployable fix, ensuring your response meets both the technical and ethical expectations.
It is important to highlight a structural antagonism: publishing a patch is essential, but it also publicly exposes the vulnerability vector, mechanically allowing any intermediate to senior-level attacker to derive a PoC (Proof of Concept - a malicious payload used to exploit the flaw).
This is a well-known tension: fixing is already a partial disclosure.
TouchWeb SAS has never published a targeted PoC, except in cases of proven exploitation detected through our weak signal monitoring tools. In such cases, its release becomes a defensive lever, particularly for technical solutions that do not follow the OWASP CRS recommendations and rely on blacklist-based mechanisms that require concrete signatures to be effective.
4. 🚫 Never silently fix a vulnerability
Users must be informed of every fix without barriers or opacity.
White-label module providers must contractually require their clients to publish corrected vulnerabilities through a security advisory with a CVE ID. Transparency cannot be waived for commercial confidentiality.
Transparency regarding security must never be hindered by confidentiality clauses.
In case of uncertainty about impact, TouchWeb commits to assisting with CVSS impact analysis.
5. 📦 Provide modules upon request
You authorize TouchWeb's DevSecOps team to request a full copy of one or more of your modules at any time as part of a preventive or corrective security process.
This request is subject to the confidentiality of analysis unless a CVSS score ≥ 7.5 vulnerability is identified.
6. 🛡️Public Security Policy Requirement
Module developers commit to maintaining a publicly accessible page (referred to as their “security page”), which will be referenced on this page by TouchWeb.
This page, indexable by search engines (Google, Bing, etc.), must reflect their cybersecurity posture and explicitly include the following commitments:
- Define a clear procedure for responsible vulnerability reporting.
- Commit to a documented, transparent, and accessible vulnerability management policy.
- Ensure no legal action is taken against good-faith researchers or contributors acting under responsible disclosure, including via YesWeHack (reciprocity of non-prosecution clause).
- Publish a security advisory with a CVE ID for CVSS scores validated by TouchWeb ≥ 7.5 (or ≥ 4.0 if politically feasible).
- Formally authorize TouchWeb SAS to list vulnerabilities on https://www.touchweb.fr
- Display a link to this charter with the TouchWeb reassurance badge
This fosters trust with security researchers, agencies, and end-users through proactive transparency.
For the more technically inclined: starting January 1st, 2027, the threshold above which a vulnerability will be publicly disclosed will be lowered to a CVSS score ≥ 6.5. This measure aims to accelerate the cleanup of the ecosystem, particularly regarding vulnerabilities affecting back-offices, type 1 XSS (Reflected XSS), and CSRF flaws. This change has been deliberately postponed, as we believe the average level of security education across the market remains insufficient and resistance to these topics is still too widespread. We rely on the adherents to this charter to actively raise awareness within their teams and help reduce this friction, so that such vulnerabilities are eventually identified and addressed professionally by default.
7. 🤝 Commitment to Active Contribution to the Initiative
Charter members acknowledge that the credibility of this initiative relies on a mutual commitment between TouchWeb and module developers.
As such, they commit to actively supporting the dissemination, legitimacy, and adoption of the charter, notably through the following actions:
- Sharing the charter on their digital platforms (website, documentation, modules – PrestaShop Marketplace exceptionally allows linking to the charter due to its importance).
- Promoting a culture of responsible security within the PrestaShop ecosystem.
- Encouraging constructive exchanges and feedback to collectively improve best practices.
- Cooperating in good faith with TouchWeb in the event of an incident, audit, or inquiry related to a vulnerability in their code.
Any promotion deemed ineffective or merely symbolic - including, but not limited to, the use of the "nofollow" attribute - may result in the invalidation of the charter membership, as it will be considered contrary to the spirit of sincere collaboration and mutual support expected from all members.
This dynamic of mutual engagement aims to strengthen the professionalization of the ecosystem, in the shared interest of developers, agencies, merchants, and security researchers.
The ultimate goal of this charter is to raise awareness among merchants, from the earliest stages of their projects, about the importance of selecting developers who apply rigorous security policies - adapted to a constantly evolving world and to the cybersecurity challenges posed by artificial intelligence.
🧾 How to become a member?
Joining the charter is completely free and open. No form, signature, or prior registration is required.
Prerequisite: you must be a PrestaShop module developer.
To become a member, simply:
- 🛡️ Publish a public security page on your website, in line with the commitments described in the charter
- 🔗 Include a link to the official TouchWeb charter on this page, to allow verification of the commitment and help raise awareness of the initiative.
- 📧 Notify us of this page (by email or using the contact form below)
Once your page is verified and indexed by the SERPs, you will be added to the list of committed publishers.
No contractual validation is required: publishing the page is considered as your commitment. Transparency is what matters.
You can find an example here: Example of a security policy page
Note: Deindexing your security page from the SERPs will be considered as a withdrawal of your commitment.
🛠️ What TouchWeb Offers
As a member, you are not alone. TouchWeb supports you in making this approach possible and beneficial:
✅ CVSS Scoring Assistance
TouchWeb helps you define an objective CVSS (Common Vulnerability Scoring System) score based on standardized criteria: access vector, complexity, privileges, impact, etc.
✅ CVE Publication Support
TouchWeb supports you step by step in drafting a security advisory and requesting a CVE identifier, ensuring responsible disclosure that benefits the community.
✅ Positive Visibility
Charter members will be able to:
- Display a "Responsible Cybersecurity" badge on their modules
- Be listed on this page, showcasing their commitment to merchants and integrators
- Gain exposure through our partner and client network
©️ Use of the "Responsible Cybersecurity" Badge
Use of the "Responsible Cybersecurity" badge (image above) is strictly regulated. This badge is a sign of ethical commitment to securing PrestaShop modules and ensuring transparency in development practices.
Any use of this badge on a web page must include a clickable link directly on the image, pointing to the official page of the Responsible Cybersecurity Charter.
This link allows agencies and merchants to verify the legitimacy of the developer's commitment and to review the detailed principles they adhere to. Failure to include this link constitutes a breach of the badge usage terms and may result in revocation of authorization to use it.
This badge is strictly reserved for developers who have officially signed the charter and are listed on the reference page.
📣 Contribution to Cybersecurity Evangelization
We rely on the members to actively promote this initiative.
- Promote the badge: By showcasing the badge on their communication materials (product pages, documentation, websites, etc.), members help raise awareness among merchants, integrators, and service providers about the importance of cybersecurity.
- Contribute to a safer ecosystem: This collective action aims to improve the quality and security standards of the PrestaShop ecosystem by strengthening user trust and highlighting committed actors.
- Become a cybersecurity ambassador: Each member thus becomes a key player in the professionalization and security of PrestaShop, benefiting the entire community.
🤝 Committed publishers
The following publishers have officially endorsed the TouchWeb charter for responsible cybersecurity:
| ✅ | Publisher | Official store |
PrestaShop Marketplace |
Security policy |
|---|---|---|---|---|
| ✅ | 2N Technologies | |||
| ✅ | Adilis | |||
| ✅ | Aikini | |||
| ✅ | Algo Factory | |||
| ✅ | Ambris | |||
| ✅ | Arpa3 | |||
| ✅ | Arnaud Merigeau | |||
| ✅ | Autour du Digital | |||
| ✅ | BusinessTech | |||
| ✅ | CibleWeb | |||
| ✅ | Com'onSoft | |||
| ✅ | Comptoir du code | |||
| ✅ | Dream me up | |||
| ✅ | Ébewè | |||
| ✅ | Ecomiz | |||
| ✅ | EtherCreation | |||
| ✅ | Home Made.io | |||
| ✅ | idnovate.com | |||
| ✅ | JPresta | |||
| ✅ | KerAwen | |||
| ✅ | Kiwik | |||
| ✅ | Kixell Tag | |||
| ✅ | La Bulle | |||
| ✅ | LibraSoft | |||
| ✅ | Loulou66 | |||
| ✅ | Lyondev | |||
| ✅ | Mediacom87 | |||
| ✅ | Mintfull Agency | |||
| ✅ | NDK Design | |||
| ✅ | Nemesis tech | |||
| ✅ | Netenvie | |||
| ✅ | Opart | |||
| ✅ | PhenixInfo | |||
| ✅ | PrestaEdit | |||
| ✅ | PrestaModule | |||
| ✅ | PrestaPlugins | |||
| ✅ | PrestaRocket | |||
| ✅ | PrestaSafe | |||
| ✅ | 📌 PrestaShop | |||
| ✅ | RealDev | |||
| ✅ | Reversia | |||
| ✅ | SeriousWeb | |||
| ✅ | Sitolog | |||
| ✅ | Softizy | |||
| ✅ | Soledis | |||
| ✅ | StoreCommander | |||
| ✅ | TuniSoft Solutions | |||
| ✅ | Ukoo / EveryParts | |||
| ✅ | Web Premiere |
⏳ Publishers in the process of joining
| ✅ | Publisher | Official store |
PrestaShop Marketplace |
Security policy |
|---|---|---|---|---|
| 202-ecommerce | In progress | |||
| Divioseo | In progress | |||
| DM Concept | In progress | |||
| E-Frogg | In progress | |||
| HiPresta | In progress | |||
| MDWeb | In progress | |||
| Nukium | In progress | |||
| ScaleDEV | In progress | |||
| TimActive | In progress |