Security Reporting Protocol

How to report a security issue in Zen Cart

If you find a security issue, such as a vulnerability, please do not release your finding publicly. Instead, send reports (including proof of concept) to security [AT] zen-cart [DOT] com. The core team will review your finding and respond appropriately.

Zen Cart takes security issues VERY seriously. Whenever a true security risk is discovered, a fix is posted immediately, using whatever means is most appropriate.

We appreciate hearing (privately) from the community about any security exploit risks found in Zen Cart code. We would rather hear about the situation privately so we can respond publicly with a fix for everyone. This helps keep existing shops safe without advertising the risk to would-be hackers and other bad guys.

Bounty? We will give recognition to matters reported via responsible-disclosure protocols, with working POC, and found to be valid and current, and for which a fix is published. As a community-supported open-source project, we do not offer financial compensation for reported bugs, however, we do appreciate and will recognize responsible reporting, as described herein.

You can view past security releases at the page security releases.




Still have questions? Use the Search box in the upper right, or try the full list of FAQs. If you can't find it there, head over to the Zen Cart support forum and ask there in the appropriate subforum. In your post, please include your Zen Cart and PHP versions, and a link to your site.

Is there an error or omission on this page? Please post to General Questions on the support forum. Or, if you'd like to open a pull request, just review the guidelines and get started. You can even PR right here.
Last modified September 5, 2024 by Chris Brown (9bc5bbca).