Thank you for taking the time

We are intensely focused on keeping our customers’ data safe and secure here at FoxyCart. Any input that helps us better serve and protect our customers is welcome. We are glad that you took the time to contact us.

Reporting a security concern

Please email us at (using our public key and encrypting with PGP/GPG if possible) so that we can give it proper treatment and handling. We will reply back to you as quickly as we can, usually within 24 hours. If you have a less urgent request, please submit our normal contact form email our helpdesk. Please note that though we will try to respond to your initial contact as quickly as possible, we cannot promise immediate responses to followup emails. We will respond, but please understand we are dealing with many things on our end, and it might take us a week or more to add you to the Hall of Fame.

We are transparent and open with our customers. After we have identified and corrected the issue, we will issue a public statement giving full credit to the discoverer.

Before reporting a concern, please ensure you aren't reporting a known issue:

  • Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
  • Forum login is possible over http.
  • Contact forms on do not have CSRF protection.
  • Any SSL issues on We use SSL exclusively in our application, not on our marketing site.
  • Account creation at does not have captcha or email validation.
  • Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user.)
  • Clickjacking headers not present on some of our subdomains.
  • Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
  • SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
  • Admin session is not invalidated on password reset. Sub-Domains & Third-Party Systems

We appreciate all vulnerability reports sent to us, but for certain systems we also encourage you to submit them to the appropriate company. Our application code is:

Our non-application systems utilizing 3rd party services are:

Tracking security issues

Have a security issue that you think affects FoxyCart stores? Please let us know. We track multiple security lists and watch for issues that affect our infrastructure. Once we are aware of an issue, here’s how we handle it:

  • We immediately patch and repair of any affected software or infrastructure.
  • We review our internal policies and procedures to understand how the issue arose.
  • We give full disclosure to our customers, crediting the person or team that discovered the issue and detailing our measures to resolve any impact and prevent any future recurrence.

Security is a major focus for us

We work with many security consultants in order to assure our continued compliance with PCI DSS, and most importantly, the continued security and integrity of all of our systems.

Thanks for working with us

We appreciate your time and skill in finding security vulnerabilities as well as the professional courtesy of taking the time to contact us.

We don't have an official bounty program, but for most small bugs in 3rd party systems (www, forum, wiki, affiliate) we mail out stickers at our discretion*, so please include your mailing address if you'd like some. As mentioned above, it may take a week or more to add your name to this Hall of Fame.

*Occasionally we receive reports that are valid only in theory or for educational purposes. We cannot promise our full attention in situations like this. Thanks for understanding.

"Hall of Fame"

We appreciate the security professionals who have responsibly disclosed potential issues to us. For clarification, we split this list between vulnerabilities found in our own systems (, and vulnerabilities in 3rd party systems we use (,,,,,, etc.).

The following are sorted from oldest (at the top) to newest (at the bottom).

FoxyCart Application Disclosures

3rd Party System Disclosures