Protecting the business, data and privacy of PrestaShop’s users is one of our top priorities. We build our software with this goal in mind. That’s why we decided to put our security to the test. To encourage the security community to help us, today we are announcing our first bug bounty program!

Why this program

Bug bounties are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs and allow security teams to leverage the external community to help keep users safe.

Cyber criminals from around the world are continuously finding new ways of breaking websites or stealing personal information, even more so when they are related to e-commerce.

Bug bounty programs are all about prevention. They are an invitation for White Hat hackers to thoroughly scrutinize our software and report any hidden issues they find. This will allow us to discover and patch hidden vulnerabilities before any “bad guys” exploit them in production sites.

What’s in scope

First of all, keep in mind this bounty programm does not concern regular bugs, but only security flaws. If you encounter any bug in PrestaShop not related to security, feel free to create an issue in our public bug tracker.

Second, this bounty program covers code from our GitHub repository PrestaShop/PrestaShop plus all PrestaShop modules defined in the composer.json file.

We are particularity interested in Remote Code Execution, SQL Injections, Authentication bypass, and obviously XSS with demonstrable business impact.

Also, we consider that vulnerabilities with a CVSS3 score lower than 4.0 are non-qualifying, unless it can be combined with other vulnerabilities to achieve a higher score.

Find more information about qualifying and non-qualifying vulnerabilities and of course everything about vulnerability disclosure on PrestaShop’s YesWeHack Public Program!

Let the hunt begin!