How to Report and Address Security Vulnerabilities in B2C Commerce

All Salesforce customers are required to work with their own security and/or development teams to do an initial review and triage of all their security findings. This will help eliminate any false positives, configuration and coding related issues that are specific to your implementation and expedite the overall response time.

It's important to understand that B2C Commerce storefronts sit behind our embedded Content Delivery Network (eCDN), so they are not vulnerable to IP/port vulnerabilities. Any traffic accessing the sites would need to come through eCDN via CNAME. The Origin IP is completely blocked from outside traffic, and any IP mentioned in security findings is not associated with the B2C Commerce platform origin servers. For additional insight, see the articles linked below:

• Embedded CDN Overview
• PCI Overview & Responsibilities for Commerce Cloud Customers
• Scan server for PCI compliance (eCDN provider)

Once you are able to reproduce the findings internally, if you still require support from Salesforce Security, please follow the steps outlined in Security Vulnerability Finding Submittal Guide to report the security vulnerability to Salesforce. Please include as much information as possible to help us better understand the nature and scope of the reported issue - replication steps with the proof of concept demonstrating each vulnerability, HTTP Request/Response, screenshots, payload, etc.)

How do I contact Salesforce if my Security Assessment request was not approved?
Please submit a request via https://bugbounty.my.salesforce-sites.com/VulnerabilityForm. We recommend working with your security testers to obtain the information requested in the forms pertaining to the assessment.

Salesforce will not cover any vulnerabilities found with custom development (e.g., apex/vf/sites, etc). You'll need to validate and fix any findings with your custom development.