Security Policy
An overview of CoCart Security Policy
Full details of the CoCart Security Policy can be found on cocartapi.com/security-policy/.
Supported Versions
The CoCart Headless Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities. If a critical vulnerability is found in any of the current versions of a CoCart plugin, we may opt to backport any patches to previous versions.Core
| Version | Supported |
|---|---|
| 5.0.x | Yes |
| 4.6.x | Yes |
| 4.5.x | Yes |
| 4.4.x | Yes |
| 4.3.x | Yes |
| 4.2.x | No |
| 4.1.x | No |
| 4.0.x | No |
| < 4.0.0 | No |
Plus
| Version | Supported |
|---|---|
| 2.0.x | Yes |
| 1.6.x | Yes |
| 1.5.x | Yes |
| < 1.4.x | No |
JWT Authentication
| Version | Supported |
|---|---|
| 2.5.x | Yes |
| 2.4.x | Yes |
| 2.3.x | Yes |
| 2.2.x | Yes |
| 2.1.x | Yes |
| 2.0.x | Yes |
| < 1.0.x | No |
Reporting a Vulnerability
For responsible disclosure of security issues, please submit your report based on instructions found on cocartapi.com/security-policy/. Our most critical targets are:- CoCart Core repository
- CoCart Plus
- CoCart JWT Authentication repository
- cocartapi.com — the primary marketplace and marketing site.
Guidelines
We’re committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:- Pen-testing Production:
- Please setup a local environment instead whenever possible. Most of our code is open source (see above).
- If that’s not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
- Don’t automate form submissions! That’s very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
- Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.