We take security very seriously and adopt industry best practices to
minimize the likelihood of introducing vulnerabilities in the Solidus
codebase. For us, security also means having a clear policy in place
for reporting and patching vulnerabilities.
Solidus versions will receive security patches for 18 months after
their initial release.
The following table represents the latest versions with their release date,
EOL date and current support state.
We promise to be always responsive and thankful to those who report
any security vulnerabilities following the instructions described here.
All security bugs in Solidus should be reported through our
vulnerability disclosure program page at HackerOne. This will
deliver a message to a subset of the Core Team who handle
security issues. Your report will be acknowledged as soon as possible
and we'll try to get in touch within 5 days.
We may ask you to access the Security Advisory created in GitHub to
help us discover more about the report, fix it, and also to keep you
informed on progress.
Alternatively, you’ll just receive a detailed response indicating the
next steps in handling your report. After the first reply to your
report, the security team will keep you informed of the progress
being made towards a fix and full announcement. These updates will be
sent at least every 5 days.
If you have not received a reply to your report within 5 days, or have
not heard from the security team for the past 5 days, please, either:
All response target times are tracked and reported in business days.
Business days are defined to be:
These actions should be done within the same business day.
The best way to receive all the security announcements is to
enable alerts for vulnerable dependencies in GitHub
or to subscribe to the
Solidus Security mailing list.
The mailing list is very low traffic, and it receives the public
notifications the moment the vulnerability is published.
If you have any suggestions to improve this policy, please send an
email to the
security policy team.
In addition to the Disclosure Program above we also enforce the
security of the codebase and released gems through the following
Visit our online Guides.
Ask our community on Stack Overflow.
Report it on GitHub.
Connect with the community.
Contact one of our Solidus Partners.