Security Reporting Protocol
If you find a security issue, such as a vulnerability, please do not release your finding publicly. Instead, send reports (including proof of concept) to security [AT] zen-cart [DOT] com. The core team will review your finding and respond appropriately.
Zen Cart takes security issues VERY seriously. Whenever a true security risk is discovered, a fix is posted immediately, using whatever means is most appropriate.
We appreciate hearing (privately) from the community about any security exploit risks found in Zen Cart code. We would rather hear about the situation privately so we can respond publicly with a fix for everyone.This helps keep existing shops safe without advertising the risk to would-be hackers and other bad guys.
You can view past security releases at the page security releases.