Security Policy

Our vulnerability management policy

In accordance with TouchWeb charter for responsible cyber securityOur team applies the following principles:

• Acknowledgement of receipt of all relevant reports within a maximum of 7 days. (CVSS ≥ 7.5)
• Impact analysis and planning of a patch within 30 days.
• Publication of a security advisory with CVE if the CVSS score is ≥ 7.5.
• No corrections will be published silently.

At the same time, we are making the following commitments to ensure responsible and ethical management of vulnerabilities:

• Not to prosecute researchers acting in good faith, in particular as part of the YesWeHack programme managed by TouchWeb SAS.
• Guarantee that no confidentiality agreement, including a white label agreement, can hinder the transparent publication of a security advisory with a CVE identifier, in compliance with the state of the art.

We are well aware that this transparency is essential to enable the third parties concerned (agencies, merchants, etc.) to meet their compliance obligations, particularly under the PCI-DSS standard or one of its lighter versions, such as SAQ-A.

Authorisation for publication

We expressly authorise TouchWeb SAS to publish information about corrected vulnerabilities in our modules on its official website, in line with the commitments of the Responsible Cyber Security Charter. This publication includes :

• A CVE identifier associated with the vulnerability.
• A safety note clearly describing the problem and its resolution.
• The versions concerned and the corrected version.
• A patch that is easy to deploy when updating is not possible.
• Any useful information enabling users and agencies to protect themselves quickly.