Menu
Feedback
Start here
Tutorials
Developer portal
Known Issues
Support Rules
Troubleshooting
Frequently Asked Questions
Announcements
Tutorials
Operational
Apps
Beta
B2B
Intelligent Search
Conversational Commerce
Master Data
Store Settings
Security
Dashboards
Storefront
Shipping
Account management
Unified Commerce
Billing
Orders
Authentication
Integrations
Sellers
Promotions & taxes
Trade policies
Catalog
Message center
Other
Infrastructure
Omnichannel
Checkout
Subscriptions
VTEX Tracking
Payments
Prices
Tutorials
Explore in-depth tutorials for operating your VTEX store.
Tutorials
Security
Information security compliance
Penetration tests and vulnerability notifications
Penetration tests and vulnerability notifications
7 min read

This feature is part of VTEX Shield. If you are already a VTEX customer and want to adopt VTEX Shield for your business, please contact Commercial Support. Additional fees may apply. If you are not yet a customer but are interested in this solution, please complete our contact form.

If you require an analysis of your penetration test report by a VTEX Security analyst, it is necessary to have VTEX Shield. Furthermore, all penetration tests must be previously scheduled with VTEX. Any test conducted autonomously without prior notice to VTEX will be considered an unauthorized action attempt.

VTEX rigorously evaluates platform features by testing and detecting vulnerabilities through recurring scanning and penetration testing. These vulnerability checks are performed periodically.

In addition to the standard checks, stores using VTEX Shield can run a penetration test and report any vulnerabilities detected, as long as they schedule it with VTEX in advance.

Penetration tests, or pentests, are simulated attacks on a computer system, network, or web application to assess security, identify vulnerabilities, and fix them. This test is run ethically to assess the system's security without causing real damage.

In this guide, we explain how to schedule a penetration test and report any potential vulnerabilities in the platform:

Scheduling penetration tests

Only stores using VTEX Shield can schedule a penetration test and are entitled to a reply from the Security team, with access to an in-depth test report analysis, as described in the procedures in this guide.

To run a penetration test in your store's environment, you must align the test schedule with VTEX, for internal organization and planning by the Security team. Follow the instructions below:

  1. Open a ticket with VTEX support to inform that you want to schedule a penetration test.

  2. Our team will request the necessary information to schedule it, including the confidentiality agreement.

    If you hire a third-party company to run the test, they must also sign the confidentiality agreement.

    VTEX recommends clients to run their penetration tests with partners whose teams have a minimum level of certification in the field and are aware of unauthorized procedures.

    Companies with professionals certified in programs such as EC-Council's Certified Ethical Hacker, CompTIA PenTest+, and GIAC Exploit Researcher and Advanced Penetration Tester often provide more detailed and standardized reports, which improves both communication and the quality of the assessment.

  3. Update your ticket with the requested information from VTEX, including the signed confidentiality agreement from those responsible for the store and the company conducting the test.

  4. Save the ticket number. You will need it for future communications.

  5. After receiving the information, the VTEX team will contact you to confirm the penetration test within two business days.

  6. Run the test on the scheduled date, subject to authorization from VTEX.

  7. Send a report with the results in the same ticket to VTEX Support.

    You must follow the guidelines described in Penetration test reports to meet the analysis deadline set by VTEX.

    Assign a person from your security team to be the point of contact for the VTEX Security team throughout the test report analysis.

The VTEX Security team is committed to conducting a comprehensive analysis of all findings reported by the client from penetration tests previously authorized and scheduled by VTEX.

Within 10 working days after receiving the report, the team will identify false positives and reclassify the threat severity as necessary, following VTEX's best practices. Each decision in this process will include a detailed rationale to ensure full transparency and understanding.

Stores planning their go-live and willing to run a penetration test must also schedule it in advance. In this case, they must send the report with the results to VTEX Support at least 45 days before the planned go-live date. During this period, VTEX will analyze the results and address any vulnerabilities identified.

Penetration test reports

To ensure VTEX meets the 10-working-day deadline for analyzing the report, you must follow the guidelines below when creating the penetration test report:

  • Details of what was affected

    Include information about where the problem was detected (URL, feature flow, etc.).

  • Details of the impact on business

    Detail the effects of this security problem and the advantages it could provide to hackers.

  • Details of the vulnerability classification criteria

    Use a structure or document that details the criteria for classifying the severity of the alleged vulnerability.

  • Problem description

    Add images to illustrate the problem.

  • Description of the steps to reproduce or proof of concept

    Describe the procedures for reproducing the security problem, preferably with images.

  • Attack description (optional)

    If the report mentions an attack, describe the security problems used to trigger the attack, with images of evidence (videos are optional).

Unauthorized procedures

We recommend using only authorized tests to identify vulnerabilities. The following procedures are prohibited:

  • Running penetration tests without scheduling with VTEX.
  • Actions that may negatively impact VTEX, its products, or its users.For example: spam, brute force, denial-of-service, and other actions stated in the confidentiality agreement regarding security tests.
  • Accessing or trying to access data or information that does not belong to your account.
  • Destroying or attempting to corrupt data or information belonging to VTEX.
  • Any type of physical or electronic attack on VTEX personnel or property.
  • Social engineering techniques.
  • Breaking any laws and regulations or breaching any agreement to detect vulnerabilities.

Reporting vulnerabilities

We encourage our clients to responsibly report any security vulnerabilities they believe they found during authorized tests.

If you wish to report a vulnerability, you should first work with your security and development teams to conduct a security assessment and eliminate false positives or issues arising from custom configurations. Only cases compatible with the definition of vulnerability will be analyzed.

Please review the VTEX Security Practices document and our Security FAQ before reporting any vulnerabilities. These documents clarify our processes and help eliminate false positives.

After this, follow the steps below to report if there is a vulnerability:

  1. Download the vulnerability notification template.

  2. Complete the vulnerability notification template with detailed information about each vulnerability detected. Add as many details as possible about the vulnerabilities you found to explain the identified suspicion, providing proof and images to help us understand, reproduce, and validate the issue.

    Vulnerabilities must be reported individually, following the template. If you encountered more than one vulnerability in your test, please complete multiple templates and attach them to your ticket.

All information must be provided and is essential for the assessment. The VTEX Security team will not address vulnerability notifications that do not follow the established template.

  1. Open a ticket with our Support to submit the security vulnerability notification. Do not forget to attach the completed vulnerability notification template in the ticket.
  2. Save your ticket number, as you may need it in future communications.

Vulnerability definition

VTEX considers a security vulnerability to be any flaw in our components that could allow the confidentiality, integrity, or availability of products or infrastructure to be compromised in any way.

We do not consider as a vulnerability:

  • Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, among others).
  • Lack of security attributes in cookies.
  • Cache-related issues.
  • Stack error messages.
  • Content injection by admin users.
  • Customized store sections.
  • Autocomplete enabled.

Reply from VTEX

VTEX makes no commitment to reply to bulk reports generated by automated scanners. If your analysis is based on an automated vulnerability identification process, we recommend having a security professional review the reports to ensure the accuracy of the findings before reporting the vulnerabilities to VTEX.

VTEX is committed to responding to notifications received by Support as soon as possible to inform about vulnerability fixes or to provide clear reasons that prevent pursuing further analysis or fixes.

VTEX is dedicated to analyzing, verifying, and fixing any vulnerabilities reported to us that may threaten your security.

Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Introduction to VTEX
Next »
Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
On this page
Still got questions?
Ask the community
Find solutions and share ideas in the VTEX community.
Join our community
Request support from VTEX
For personalized assistance, contact our experts.
Open a support ticket
GithubDeveloper portalCommunityFeedback