We fix security problems in the latest version. These fixes can often be backported to previous versions, but we don't usually issue revisions of older releases.
All versions pre-Phoenix are now out of support entirely. This includes Edge, Frozen, and Gold.
The lastest .0 is in long term support. People running versions prior to that should update at least to the latest .0 release before reporting security vulnerabilities. We prefer that reports are made in the latest release.
Use this section to tell people how to report a vulnerability.
To report a security vulnerability, please do one of the following:
- Join the CE Phoenix Cart Forum and send a PM to ecartz and burt.
- Email ecartz and gburton, using the commit email addresses.
- Use the Contact Us.
PM on the forum is preferred, as it is the closest to private issue tracking as possible.
The other methods have less tracking and ability to communicate with the original reporter,
but are allowable in case someone objects to registering on the forum.
Note that if GitHub creates private security issue tracking, we would support that, to the point of making it the preferred reporting method. If that happens, you may start using it before it is officially announced here.