Thank you for taking the time
We are intensely focused on keeping our customers’ data safe and secure here at FoxyCart. Any input that helps us better serve and protect our customers is welcome. We are glad that you took the time to contact us.
Reporting a security concern
Please email us at firstname.lastname@example.org (using our public key and encrypting with PGP/GPG if possible) so that we can give it proper treatment and handling. We will reply back to you as quickly as we can, usually within 24 hours. If you have a less urgent request, please submit our normal contact form email our helpdesk. Please note that though we will try to respond to your initial contact as quickly as possible, we cannot promise immediate responses to followup emails. We will respond, but please understand we are dealing with many things on our end, and it might take us a week or more to add you to the Hall of Fame.
We are transparent and open with our customers. After we have identified and corrected the issue, we will issue a public statement giving full credit to the discoverer.
Before reporting a concern, please ensure you aren't reporting a known issue:
- Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
- Forum login is possible over http.
- Contact forms on www.foxycart.com do not have CSRF protection.
- Any SSL issues on www.foxycart.com. We use SSL exclusively in our application, not on our marketing site.
- Account creation at admin.foxycart.com does not have captcha or email validation.
- Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user.)
- Clickjacking headers not present on some of our subdomains.
- Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
- SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
- Admin session is not invalidated on password reset.
FoxyCart.com Sub-Domains & Third-Party Systems
We appreciate all vulnerability reports sent to us, but for certain systems we also encourage you to submit them to the appropriate company. Our application code is:
- example.foxycart.com (enter through our www site)
- api.foxycart.com (if you hit this in a browser it will redirect to documentation; try in a console for more possibilities)
- www.foxycart.com uses HiFi CMS
- forum.foxycart.com uses Vanilla
- affiliate.foxycart.com uses iDevAffiliate
- wiki.foxycart.com (and docs.foxycart.com) uses Dokuwiki
- requests.foxycart.com uses UserVoice
Tracking security issues
Have a security issue that you think affects FoxyCart stores? Please let us know. We track multiple security lists and watch for issues that affect our infrastructure. Once we are aware of an issue, here’s how we handle it:
- We immediately patch and repair of any affected software or infrastructure.
- We review our internal policies and procedures to understand how the issue arose.
- We give full disclosure to our customers, crediting the person or team that discovered the issue and detailing our measures to resolve any impact and prevent any future recurrence.
Security is a major focus for us
Thanks for working with us
We appreciate your time and skill in finding security vulnerabilities as well as the professional courtesy of taking the time to contact us.
We don't have an official bounty program, but for most small bugs in 3rd party systems (www, forum, wiki, affiliate) we mail out stickers at our discretion*, so please include your mailing address if you'd like some. As mentioned above, it may take a week or more to add your name to this Hall of Fame.
*Occasionally we receive reports that are valid only in theory or for educational purposes. We cannot promise our full attention in situations like this. Thanks for understanding.
We appreciate the security professionals who have responsibly disclosed potential issues to us. For clarification, we split this list between vulnerabilities found in our own systems (admin.foxycart.com, example.foxycart.com) and vulnerabilities in 3rd party systems we use (www.foxycart.com, affiliate.foxycart.com, forum.foxycart.com, requests.foxycart.com, wiki.foxycart.com, docs.foxycart.com, etc.).
The following are sorted from oldest (at the top) to newest (at the bottom).
FoxyCart Application Disclosures
- Yaroslav Olejnik - O.J.A.
- Edis Konstantini
- Kamil Sevi
- Jayvardhan Singh
- Parichay Rai
- Tejash Patel
- Parveen Yadav & Mayank Bhatodra
- Rafael Pablos
- Nakul Mohan
- Dibyendu Sikdar
- Narendra Bhati
- Mazen Gamal
- Kalpesh Makwana
- Aditya Agrawal
- Sangeetha Rajesh S
- Abdul Haq Khokhar
- Areeb Khan
- Kiran Karnad
- Justine Edic
- Gineesh George
- FaisaL Ahmed
- Md Ishrat Shahriyar
3rd Party System Disclosures
- Sergey Bobrov
- Danish Tariq & Noman Ramzan
- Ahmad Ashraff
- Jatinpreet Singh
- J Muhammed Gazzaly
- Anand Prakash
- Ahmad Ashraff
- Prem Kumar
- Vaibhav Deshmukh
- Atulkumar Hariba Shedage
- Sasi Levi
- Sahil Saif
- Ali Hasan Ghauri
- Yazane Hassan
- Evan Ricafort
- Rodolfo Godalle, Jr.
- Rakesh Singh & Harish Kumar
- Jerold Camacho
Owais Ahmed Siddiqui