Supported Versions
The CoCart Headless Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities. If a critical vulnerability is found in any of the current versions of a CoCart plugin, we may opt to backport any patches to previous versions.Community Edition
The community edition will no longer get further updates to optimize or add anything new except security patches (if necessary).| Version | Supported |
|---|---|
| 4.8.x | Yes |
| 4.7.x | Yes |
| 4.6.x | Yes |
| 4.5.x | Yes |
| 4.4.x | Yes |
| 4.3.x | Yes |
| 4.2.x | No |
| 4.1.x | No |
| 4.0.x | No |
| < 4.0.0 | No |
Core a.k.a CoCart Starter
The core plugin is rewritten to be faster and much more compatible with further developments for new features, add-ons and support requirements.| Version | Supported |
|---|---|
| 5.0.x | Yes |
Plus
| Version | Supported |
|---|---|
| 1.5.x | Yes |
| < 1.4.x | No |
JWT Authentication
| Version | Supported |
|---|---|
| 3.0.x | Yes |
| 2.5.x | Yes |
| 2.4.x | Yes |
| 2.3.x | Yes |
| 2.2.x | Yes |
| 2.1.x | Yes |
| 2.0.x | No |
| < 1.0.x | No |
Reporting a Vulnerability
For responsible disclosure of security issues, please submit your report based on instructions found on cocartapi.com/security-policy/. Our most critical targets are:- CoCart Community Edition repository
- CoCart Starter
- CoCart Plus
- CoCart JWT Authentication repository
- cocartapi.com — the primary marketplace and marketing site.
Guidelines
We’re committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:- Pen-testing Production:
- Please setup a local environment instead whenever possible. Most of our code is open source (see above).
- If that’s not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
- Don’t automate form submissions! That’s very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
- Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.