Security Policy
Last updated: May 19, 2026
HiPresta is a member of the TouchWeb Charter for Responsible Cybersecurity. This page describes how we handle security vulnerabilities in our PrestaShop modules and outlines our commitments to the PrestaShop ecosystem.
1. Reporting a Vulnerability
The security of our modules and our clients is paramount. We encourage security researchers to analyze our modules and report any identified vulnerabilities, in line with responsible disclosure best practices.
We are committed to identifying and fixing any vulnerability, and to communicating transparently with all relevant parties throughout the process.
If you believe you have discovered a vulnerability in one of our modules, you may report it responsibly via: support@hipresta.com
Please provide as much detail as possible, including a description of the vulnerability, its potential impact, the affected module and version, and steps to reproduce the issue.
2. Our Vulnerability Management Policy
In accordance with the TouchWeb Charter for Responsible Cybersecurity, our team applies the following principles:
- Acknowledgement of any relevant report within 7 days maximum (CVSS ≥ 4.0).
- Impact analysis and fix planning within 30 days maximum.
- Publication of a security advisory with a CVE ID if the CVSS score is ≥ 7.5.
- No fix will ever be released silently.
In parallel, we make the following commitments to ensure responsible and ethical vulnerability handling:
- We will not take legal action against researchers acting in good faith, particularly within the scope of the YesWeHack program managed by TouchWeb SAS.
- We guarantee that no confidentiality agreement, including in white-label contexts, will prevent the transparent publication of a security advisory with a CVE ID, in line with industry best practices.
We are fully aware that this transparency is essential to enable the relevant third parties (agencies, merchants, etc.) to meet their compliance obligations, particularly within the framework of the PCI-DSS standard or one of its simplified versions, such as SAQ-A.
3. Publication Authorization
We expressly authorize the company TouchWeb SAS to publish information related to patched vulnerabilities in our modules on its official website, in accordance with the commitments of the Responsible Cybersecurity Charter.
This publication may include:
- A CVE identifier associated with the vulnerability.
- A security notice clearly describing the issue and its resolution.
- The affected versions and the version containing the fix.
- An easy-to-apply patch where updates are difficult to implement.
- Any useful information to help users and agencies protect themselves quickly.
4. Disclosure
Below is the list of known and patched security vulnerabilities in our modules.
| Date | Module | Affected | Fixed | CWE | CVSS | CVE |
|---|---|---|---|---|---|---|
| No known vulnerabilities have been disclosed to date. | ||||||
5. Contact
For any security-related inquiries, please contact us at: support@hipresta.com