We take security very seriously and adopt industry best practices to minimize the likelihood of introducing vulnerabilities in the Solidus codebase. For us, security also means having a clear policy in place for reporting and patching vulnerabilities.
Solidus versions will receive security patches for 18 months after their initial release.
The following table represents the latest versions with their release date, EOL date and current support state.
|Version||Supported||Release Date||EOL date|
We promise to be always responsive and thankful to those who report any security vulnerabilities following the instructions described here.
All security bugs in Solidus should be reported through our vulnerability disclosure program page at HackerOne. This will deliver a message to a subset of the Core Team who handle security issues. Your report will be acknowledged as soon as possible and we'll try to get in touch within 5 days.
We may ask you to access the Security Advisory created in GitHub to help us discover more about the report, fix it, and also to keep you informed on progress.
Alternatively, you’ll just receive a detailed response indicating the next steps in handling your report. After the first reply to your report, the security team will keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every 5 days.
If you have not received a reply to your report within 5 days, or have not heard from the security team for the past 5 days, please, either:
All response target times are tracked and reported in business days. Business days are defined to be:
These actions should be done within the same business day.
The best way to receive all the security announcements is to enable alerts for vulnerable dependencies in GitHub or to subscribe to the Solidus Security mailing list. The mailing list is very low traffic, and it receives the public notifications the moment the vulnerability is published.
If you have any suggestions to improve this policy, please send an email to the security policy coordinator.
In addition to the Disclosure Program above we also enforce the security of the codebase and released gems through the following initiatives: