We encourage our clients to responsibly report any security vulnerabilities they believe they found during their common use of the platform.

If you wish to report a vulnerability, you should first work with your security and development teams to conduct a security assessment and eliminate false positives or issues arising from custom configurations. Only cases compatible with the definition of vulnerability will be analyzed.

Please review the VTEX Security Practices document and our Security FAQ before reporting any vulnerabilities. These documents clarify our processes and help eliminate false positives.

After this, follow the steps below to report if there is a vulnerability:

1. Download the vulnerability notification template.

2. Complete the vulnerability notification template with detailed information about each vulnerability detected. Add as many details as possible about the vulnerabilities you found to explain the identified suspicion, providing proof and images to help us understand, reproduce, and validate the issue.

   Vulnerabilities must be reported individually, following the template. If you encountered more than one vulnerability in your test, please complete multiple templates and attach them to your ticket.

All information must be provided and is essential for the assessment. The VTEX Security team will not address vulnerability notifications that do not follow the established template.

3. Open a ticket with our Support to submit the security vulnerability notification. Do not forget to attach the completed vulnerability notification template in the ticket.
4. Save your ticket number, as you may need it in future communications.

VTEX considers a security vulnerability to be any flaw in our components that could allow the confidentiality, integrity, or availability of products or infrastructure to be compromised in any way.

We do not consider as a vulnerability:

• Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, among others).
• Lack of security attributes in cookies.
• Cache-related issues.
• Stack error messages.
• Content injection by admin users.
• Customized store sections.
• Autocomplete enabled.

VTEX makes no commitment to reply to bulk reports generated by automated scanners. If your analysis is based on an automated vulnerability identification process, we recommend having a security professional review the reports to ensure the accuracy of the findings before reporting the vulnerabilities to VTEX.

VTEX is committed to responding to notifications received by Support as soon as possible to inform about vulnerability fixes or to provide clear reasons that prevent pursuing further analysis or fixes.

VTEX is dedicated to analyzing, verifying, and fixing any vulnerabilities reported to us that may threaten your security.