Skip to main content

Overview

Proper application design, intelligent programming, and secure infrastructure are all essential in creating a secure e-commerce store using any software (Spree included). The Spree team has done its best to provide you with the tools to create a secure and profitable web presence, but it is up to you to take these tools and put them in good practice. We highly recommend reading and understanding the Rails Security Guide.

Supported Versions

The following versions are actively maintained and receive security patches.
VersionRelease dateEnd of life
5.026.03.202526.03.2028
4.1006.09.202406.09.2027
If you’re using an older version please upgrade. Have trouble upgrading? Contact us for support. Versions that are not listed above will not receive any security patches or fixes.

Reporting Security Issues

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests. Instead, please send an email to security@spreecommerce.org. Please include as much of the following information as possible to help us triage your report:
  • Type of vulnerability (e.g. SQL injection, XSS, CSRF, etc.)
  • Affected version(s)
  • Step-by-step instructions to reproduce the issue
  • Proof of concept or exploit code (if available)
  • Impact assessment of the vulnerability

Submitting a Patch

If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command: 
git format-patch HEAD~1..HEAD --stdout > patch.txt
Email a description of the patch along with the patch.txt file to security@spreecommerce.org.

Disclosure Process

  1. Security report is received and acknowledged within 48 hours.
  2. The issue is confirmed and a severity level is assigned.
  3. A fix is developed and tested against all supported versions.
  4. A new release is published with the fix and a GitHub Security Advisory is created.
  5. Reporter is credited in the advisory (unless anonymity is requested).

Security Advisories

Published security advisories can be found at GitHub Security Advisories.

Security Best Practices

Spree is built on Ruby on Rails which provides strong security defaults including protection against SQL injection, CSRF, and XSS. For more details on how Spree handles security in production environments, see the Enterprise Security Overview. We recommend: