Example of a Security Policy

---

🚨 Reporting a Vulnerability

The security of our modules and our clients is paramount. That's why we encourage security researchers to analyze our modules and report any identified vulnerabilities to us, in line with responsible disclosure best practices.

We are committed to identifying and fixing any vulnerability, and to communicating transparently with all relevant parties throughout the process.

If you believe you have discovered a vulnerability in one of our modules, you may report it responsibly via: [your email]

Optional (at your discretion – remove if not applicable) Only reports submitted with our public GPG key [link to your GPG key] will be processed; all others are deleted upon receipt.

Please provide as much detail as possible (description, impact, affected version, reproduction steps).

Optional (at your discretion – remove if not applicable) We inform you that non-reproducible reports or those unrelated to our modules will be ignored.

📜 Our Vulnerability Management Policy

In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:

• Acknowledgement of any relevant report within 7 days maximum. (CVSS ≥ 4.0 – Scoring at your discretion with a maximum of 7.5)
• Impact analysis and fix planning within 30 days maximum.
• Publication of a security advisory with a CVE ID if the CVSS score is ≥ 7.5. (Scoring at your discretion with a maximum of 7.5)
• No fix will ever be released silently.

In parallel, we make the following commitments to ensure responsible and ethical vulnerability handling:

• We will not take legal action against researchers acting in good faith, particularly within the scope of the YesWeHack program managed by TouchWeb SAS.
• We guarantee that no confidentiality agreement, including in white-label contexts, will prevent the transparent publication of a security advisory with a CVE ID, in line with industry best practices.

We are fully aware that this transparency is essential to enable the relevant third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly within the framework of the PCI-DSS standard or one of its simplified versions, such as SAQ-A.

🛡️ Publication Authorization

We expressly authorize the company TouchWeb SAS to publish information related to patched vulnerabilities in our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.

This publication may include:

• A CVE identifier associated with the vulnerability.
• A security notice clearly describing the issue and its resolution.
• The affected versions and the version containing the fix.
• An easy-to-apply patch where updates are difficult to implement.
• Any useful information to help users and agencies protect themselves quickly.

The "Publication" section is optional but strongly encouraged – provided there are disclosures.

🔍 Disclosure

Below is the list of known and patched security vulnerabilities: