docs/developer/security/security_policy.mdx
Proper application design, intelligent programming, and secure infrastructure are all essential in creating a secure e-commerce store using any software (Spree included). The Spree team has done its best to provide you with the tools to create a secure and profitable web presence, but it is up to you to take these tools and put them in good practice. We highly recommend reading and understanding the Rails Security Guide.
The following versions are actively maintained and receive security patches.
| Version | Release date | End of life |
|---|---|---|
| 5.0 | 26.03.2025 | 26.03.2028 |
| 4.10 | 06.09.2024 | 06.09.2027 |
If you're using an older version please upgrade. Have trouble upgrading? Contact us for support.
Versions that are not listed above will not receive any security patches or fixes.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please send an email to [email protected].
Please include as much of the following information as possible to help us triage your report:
If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:
git format-patch HEAD~1..HEAD --stdout > patch.txt
Email a description of the patch along with the patch.txt file to [email protected].
Published security advisories can be found at GitHub Security Advisories.
Spree API is built on Ruby on Rails which provides strong security defaults including protection against SQL injection, CSRF, and XSS. For more details on how Spree handles security in production environments, see the Enterprise Security Overview.
We recommend: