Application security is often a forgotten aspect of the digital world. Everyone agrees that it is essential, but no one really wants to face its consequences. Today, in this guest blog post, it’s time to share the truths that no one wants to say.

This PrestaShop Developer Conference 2024 guest blog post is authored by Vincent Guesnard from TouchWeb and summarizes the presentation given during the event.

1. Why does no one want to publish vulnerabilities?

Cybersecurity can be considered a taboo subject. Many players prefer to avoid the topic rather than admit they don’t have complete control over it.

And yet, not mastering it isn’t a big deal.

  • Everyone has been in that position at some point.
  • Everyone has made mistakes.
  • What matters is the ability to question oneself, acknowledge weaknesses, and improve skills.

What’s more problematic isn’t lacking knowledge—it’s refusing to learn and grow.

Those who don’t talk about security for fear of criticism need to understand one thing: it’s often the least informed who criticize those trying to improve.

  • A true professional will never mock someone who seeks to learn.
  • A good expert will support and encourage those making the effort to grow.

Cybersecurity will only advance if we accept our imperfections and choose to improve together. Refusing to publish vulnerabilities, hiding mistakes, and avoiding questions out of fear of judgment—these are exactly the things that prevent the ecosystem from growing stronger and go against the values of open source.

Be courageous. Own what you don’t know yet, and strive to improve. You will never be alone. TouchWeb [Editor’s note: the guest blog author’s company] and other experts are here to support you, not to judge you.

2. Impostor syndrome: why do those who know stay silent?

There’s another reason behind the widespread silence: impostor syndrome. Many technicians, developers, and system administrators with the right skills hesitate to speak about cybersecurity, fearing they might say something inaccurate or face commercial repercussions.

In an environment where every mistake is scrutinized and criticized, staying silent feels safer than risking being called out. As a result:

  • Those with real expertise prefer to stay in the background.
  • Cybersecurity discussions are dominated by people who pretend to know everything but never contribute meaningfully.
  • The community remains stagnant while threats continue to evolve.

But it takes courage to speak up and advocate for security. Cybersecurity will only advance if those with knowledge share it—even imperfectly. Don’t isolate yourself. You can rely on the support of your peers, including TouchWeb, which has already taken on this role despite criticism. Cyber attackers aren’t waiting. If those with the skills don’t speak up, who will?

3. Commercial interests: could security be a threat to business?

Let’s be clear: cybersecurity is disruptive. Some platforms and software publishers prefer to hide vulnerabilities rather than deal with urgent patches. For some service providers, talking about security means generating support requests and customer inquiries that are difficult to bill.

Companies often prefer to believe they are not at risk as long as no visible incident has occurred. Security is a complex issue because it can expose weaknesses in systems and businesses. As long as a vulnerability has not been publicly revealed, it may be easier to hide it than to fix it.

4. No one wants to fund cybersecurity for small and medium-sized businesses

Companies that don’t generate millions of euros are the first victims of this inertia. Why? Because their security is of little interest to most stakeholders:

  • No guaranteed results → A client would rather believe they “won’t have any problems” than pay for imperfect protection against a hypothetical attack.
  • No dedicated budget → “Security? It’s too expensive and doesn’t offer a direct return on investment.”
  • A risk that doesn’t seem immediate → Until the day operations are halted, customer data is recuperated by attackers… and by then, it’s too late.

Cybersecurity is seen as a luxury when it should be a necessity.

5. Crime driven by the need to survive

There is a truth no one dares to say: cases of credit card theft are reported less frequently… Why? Because they play a crucial role in the economic stability of many. When a merchant experiences credit card fraud, they know that speaking out publicly could cost them the trust of certain customers, partners, or even their banks.

In cases of payment card theft, platforms may downplay the visibility of fraud to maintain the confidence of merchants and investors. Service providers may also downplay incidents to avoid being held accountable.

Merchants often choose to handle losses from theft discreetly to protect their reputation and maintain customer trust. However, this lack of transparency has a significant consequence: it unintentionally contributes to the circulation of stolen credit card details. Merchants don’t always realize that by not reporting fraud, they are prioritizing the immediate stability of their business—while inadvertently benefiting criminals.

This creates a problematic cycle:

  • The fewer thefts that are reported, the more freely criminals can operate.
  • The more fraud cases increase, the stricter banks become with their requirements.
  • And the harder it becomes to sell online without facing rising security costs.

This lack of transparency creates a growing risk, and those who choose to ignore it today may face the consequences tomorrow. Action is needed: credit card fraud should not be a taboo subject. It is a structural issue that must be addressed collectively through reporting, protective measures, and robust cybersecurity practices.

We remind you that failing to report a large-scale credit card theft to the authorities, including law enforcement, could expose you to legal consequences for handling stolen goods. Believing that hiding thefts ensures survival is an illusion— in the long run, only transparency allows for sustainable growth.

6. The reality you must understand

At TouchWeb, we’re proud to be leading the charge in actively publishing security alerts and funding real-world cybersecurity actions – like Bug Bounty programs, audits, and public reports. While we’re not obligated to do this, we believe deeply in building a safer, stronger PrestaShop ecosystem for everyone.

We know that talking about vulnerabilities isn’t always easy – but it’s necessary. Transparency can be uncomfortable, but it’s also a sign of commitment. With support from PrestaShop SA and our network, we’ve taken the first steps. But real change requires a community effort.

Why does this matter? Because every action we take – every bug identified, every issue fixed, every security solution funded – is designed to protect merchants, developers, agencies, and customers alike.

But we can’t do it alone.

To continue this momentum, we’re setting a clear and ambitious goal: raise €80,000 over two years to strengthen the reactive security of the PrestaShop ecosystem through PrestaShop Marketplace. Specifically, we will reinvest 20% of our revenue exceeding €600,000 (excl. VAT) per year into YesWeHack rewards. The more our network grows, the more we can contribute to this essential mission. We are launching this initiative with an initial budget of €20,000 (excl. VAT), but to reach our target, we need the trust and commitment of agencies. Their involvement will be a key driver in ensuring long-term security within the PrestaShop ecosystem.

Cybersecurity is a shared responsibility. If our alerts have ever helped you, if you value a proactive approach to security, if you want to future-proof your business – now is the time to act.

Together, we can:

  • Protect merchants who can’t afford their own audits.
  • Encourage responsible disclosure and better practices.
  • Show that security isn’t a threat to growth – it’s a foundation for it.

Let’s build a safer PrestaShop ecosystem – openly, collaboratively, and sustainably.

We’ll reassess this initiative in June 2025, and your participation between now and then will help shape the path forward.

If you are a module creator, join the TouchWeb charter for responsible cybersecurity, only creators who have joined the charter will be eligible for our YesWeHack program.

Thank you to everyone who already believes in and supports this cause. Vincent from TouchWeb.

Note

This article is a contribution from a member of the PrestaShop community, and not a PrestaShop employee. If you too want to help the community by sharing tips and advice on the Build devblog, read this!