Support and cybersecurity policy for Apps & Modules

1.Introduction

Plugins for ecommerce CMS are called differently depending on the ecommerce CMS: Magento & WooCommerce: plugins, PrestaShop: modules and Shopify: Apps. This document uses the general plugin terminology.

202 ecommerce produces 2 types of plugins:

Plugins for which 202 ecommerce is the publisher, which we call Apps & commercial modules.

Plug-ins that we produce on a white label basis for ecommerce software publishers (example: PayPal module), which we call official connectors.

For official connectors, 202 ecommerce only provides maintenance and upgrades for these connectors and, depending on the connector, support for merchants.

Translated with DeepL.com (free version).

2. Merchant support policy

2.1. Support methods

To obtain support for a plugin published or managed by 202 ecommerce, you need to make a request via the interface indicated on the ‘Apps and modules’ page. Generally speaking, if the plugin is published in an application shop that allows you to contact the developer, this is the channel to use.

202 ecommerce works on working days and during working hours, all year round. We make every effort to respond to support requests within one working day.

202 ecommerce never modifies a merchant’s shop, be it content, configurations or computer code: 202 ecommerce proposes a resolution method whose implementation is the merchant’s responsibility.

How a support request is processed :

1 – Recherche de la source du dysfonctionnement

2 – Resolution, depending on the source of the problem :

Configuration problem or misunderstanding of how it works: the answer is delivered immediately, and it’s up to the merchant to change the configuration if necessary.
Plugin bug: 202 ecommerce corrects the plugin. A hotfix can be provided to the merchant to unblock it immediately, and the fix will be deferred to a later version of the plugin.

Plugin upgrades and fixes are tested on supported versions of the CMS, with native modules.

Incompatibility with another plugin or with a merchant’s specific development: 202 ecommerce documents the incompatibility found and is available to answer any questions raised. It is up to the merchant to involve the relevant parties.

2.2. Providing access to merchant shops

If 202 ecommerce requests access to the merchant’s ecommerce CMS (administration interface or FTP/SSH), the merchant is expressly requested to provide access created specifically for 202 ecommerce, with strong passwords, and which will be closed after the intervention of 202 ecommerce.

For its part, 202 ecommerce automatically deletes from its ticketing software the accesses provided by merchants one month after the close of the support request or the last exchange.

2.3. Data management policy

See legal notice. In the case of official connectors, in addition to the general data management policy, as 202 ecommerce acts as a subcontractor for software publishers, 202 ecommerce prohibits any use of merchant information for commercial canvassing activities.

Cybersecurity Policy

3.1. Transparency in the fight against cybercrime

3.1. Transparency in the fight against cybercrimeIn a distributed ecosystem (i.e. non-SAS), transparency on the part of software publishers and plug-in publishers with regard to vulnerability management is essential to enable the players involved (users, service providers, etc.) to take appropriate action.

202 ecommerce is also committed to respecting good practice in this area, in particular :

No silent patching: explicit patching and publication of CVEs where applicable
Analysis of any reports of potential vulnerabilities
Maintain a cyber security policy

3.2. Reporting and managing vulnerabilities

We encourage security researchers to carry out analyses on our plug-ins and to report any identified vulnerabilities to us, in accordance with good disclosure practices.

If you believe you have discovered a vulnerability in one of our plugins, you can report it to us responsibly via the address: tech at 202-ecommerce.com. We invite you to provide us with as many details as possible (description, impact, version affected, reproduction stages). Please note that non-reproducible discoveries or discoveries not directly related to our modules will be ignored.

We undertake to deal with such reports as follows:

Acknowledgement of receipt of all relevant reports within a maximum of 7 days. (CVSS ≥ 4.0 – Score at your discretion with a maximum of 7.5)
Impact analysis and planning of a patch within 30 days.
Publication of a security advisory with CVE if the CVSS score is ≥ 7.5.

We undertake not to prosecute researchers acting in good faith, particularly in the context of the YesWeHack programme managed by TouchWeb SAS.