Security

= Reporting a security issue =

If you discovered a security issue in one of our products or services, please get in touch with us immediately. Our policy is to limit public knowledge about a security issue until we provide a fix for it.

We kindly ask you to inform us first and keep the vulnerability confidential for the general public as this might compromise existing businesses.

This is the process:


 * 1) Please send an email to [mailto:security@oxid-esales.com security@oxid-esales.com]
 * 2) We will confirm that the email or bug report has been received by OXID eSales.
 * 3) OXID will provide you with information on our progress in verifying and fixing the vulnerability, and the estimated date at which a security fix or new release will be available.

OXID is happy to arrange an embargo date with you, at which you can issue a security bulletin, so you - apart from us - will be the first to report it to the general public. OXID generally treats all reports confidential and anonymous, but we will happily credit you in our security bulletin as the one who discovered the vulnerability if you want to.

Why do we ask you to inform us beforehand and to arrange an embargo date? Isn't that in contrast to the concept of openly communicating? No. It helps everyone running a shop if the vulnerability is not known to the general public until it has been fixed. Otherwise shop owners are at risk of being exposed to publicly known vulnerabilities that have not been fixed yet.

For any questions about the process of reporting a security issue, please do not hesitate to ask on [mailto:security@oxid-esales.com security@oxid-esales.com].

= Supported versions =

When we release new security advisories, we only check if supported versions are affected. Currently supported versions are:


 * 4.6.x
 * 4.7.x/5.0.x

Older, unsupported versions may or may not have the same security vulnerabilities. Security fixes or any bug fixes for older versions are not provided by OXID eSales unless you have support contracts. Security fixes for owners of a support contract will be provided till December 31th, 2009. We urge users of older versions to upgrade their OXID eShop installations.

= Getting informed through Security Bulletins =

OXID eSales will publish the bulletin to the OXIDforge wiki within the Security Bulletins category and will also inform the community via the mailing lists and the Announcement forum. We will also inform relevant security mailing lists about the bulletin to inform other vendors and Linux distributors.

As soon as the issue has been verified and fixed by our engineers, we will set an embargo date after which a security bulletin will be made available to the general public. This will be done either when a fix for existing releases is available, or when a new release comes out that contains the security fixe. OXID will not publicly announce security vulnerabilities that haven't been fixed in stable releases yet.

A few close OXID partners will receive a notification of the upcoming bulletin approximately 48-96 hours before it is made available to the general public.