Security
Vulnerability Disclosure
How to report security vulnerabilities in Cresora Commerce.
Cresora takes security seriously. We encourage responsible disclosure of vulnerabilities and work with security researchers to improve our platform.
How to report
Email: security@cresoracommerce.com
Please encrypt sensitive reports using our PGP key (available on request from the security team).
What to include
A good vulnerability report includes:
- Description of the vulnerability and its potential impact
- Steps to reproduce (with as much detail as possible)
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
What we ask of you
- Do not access or modify data belonging to other users
- Do not perform denial-of-service attacks
- Do not publicly disclose the vulnerability before we've had a chance to address it
- Give us a reasonable time to respond (typically 5 business days for initial triage)
Our commitments
- Acknowledge your report within 5 business days
- Provide regular updates on our progress
- Notify you when the issue is resolved
- Credit you in our security acknowledgments (if desired)
- Not pursue legal action for good-faith security research
Scope
In scope:
- api.cresoracommerce.com
- docs.cresoracommerce.com
- partner-portal.cresoracommerce.com
- Any Cresora-owned infrastructure
Out of scope:
- Third-party services we use (report these to the vendor)
- Social engineering attacks
- Physical attacks
- Denial-of-service attacks
Response timeline
| Milestone | Target |
|---|---|
| Initial acknowledgment | 5 business days |
| Severity assessment | 10 business days |
| Fix deployed (critical) | 30 days |
| Fix deployed (high) | 60 days |
| Fix deployed (medium/low) | 90 days |