Welcome to Bold Commerce's Trust and Security. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust and Security to learn about our security posture and request access to our security documentation.
Documents
We are working on our security compliance. We can provide completed questionnaires upon request.
We are currently working with experts to put together our company policies. Please contact us for more details.
Trust and Security Updates
Hey there!
On June 25th, 2024 security researchers at Sansec discovered that malicious code had been added into the popular polyfill package hosted at cdn.polyfill.io after it was acquired by a Chinese company earlier this year. Bold Commerce was alerted by Cloud Flare to the fact that some of our domains were using the affected package on Jun 26, 2024.
Upon receiving the alert, we swiftly moved to remove all references to the affected CDN from our codebases the same day. We confirmed via Cloudflare's Page Shield application that all affected references had been updated to safe sources for Polyfill code.
The malicious code was intended to redirect certain users to a website specified by the Chinese company. Although we confirmed that the affected polyfill package was loaded onto some sites using Bold Commerce apps (Checkout on Shopify and Subscriptions 1), malicious code targeted only mobile devices with specific conditions. For other devices, the polyfill server served the original polyfill code or an empty response for modern browsers.
Up to date we received no reports from our customers, or from any of our automated systems that they were affected by the redirect.
We have reviewed our reporting systems to ensure that we will continue to find and remediate issues such as this in the future, and we will continue to monitor for any renewed attacks against this or other packages in use by our systems.
Hey There!
We wanted to communicate a change that has been clarified by ControlGap in regards to the PCI Council FAQ 1331, which may affect your PCI compliance.
Key Change:
Service providers who previously validated their compliance using SAQ-based reduced requirements are no longer eligible to do so. All PCI DSS requirements must now be considered when completing either an SAQ D or an onsite assessment resulting in a Report on Compliance.
What This Means:
- Requirements can no longer be marked as "Not Applicable" based solely on SAQ criteria.
- Each requirement must be evaluated individually and documented as "In Place," "In Place with CCW," "Not in Place," "Not Tested," or "Not Applicable" based on the specific environment and services offered.
What Changed:
The PCI SSC has clarified that only merchants, not service providers, can use reduced applicability methodology. This change is effective immediately.
Bolds Commitment:
Bold remains compliant with all PCI DSS requirements. We are sharing this information proactively to ensure you are aware of any potential impact on your own compliance efforts.
If you have any questions or concerns, please don't hesitate to contact us.
Bold Commerce Team
Hey There!
We understand that security is a top concern, and we want to assure you that your data's safety is our highest priority at Bold Commerce.
We are actively monitoring the recent Snowflake breach. We want to confirm that neither Bold Commerce nor our subprocessors utilize Snowflake, so we have not been exposed to this incident.
We remain vigilant in safeguarding your information and will continue to monitor for any potential security threats.
If you have any questions, please don't hesitate to contact our support team.
Bold Commerce Team
Hey There!
At Bold Commerce, your security is a top priority. We're actively monitoring the CVE-2024-3094 vulnerability in XZ Utils.
After a thorough review, we've confirmed that our systems are not vulnerable to this exploit. We'll continue to stay vigilant and take any necessary actions to protect your data.
If you have any questions or concerns, please don't hesitate to contact us.
Bold Commerce Team
Hey There!
We wanted to let you know inform you about an upcoming change to our Domain-based Message Authentication, Reporting & Conformance (DMARC) policy for boldcommerce.com. Effectively immediately we will be changing our DMARC policy for failed messages to "quarantine" instead of "reject."
This change aligns with best practices and aims to protect both you and your recipients from fraudulent emails while minimizing disruptions to legitimate email delivery.
We understand that changes to email policies can sometimes raise questions. If you have any concerns or need further clarification about this update, please don't hesitate to contact our support team at support
Bold Commerce
If you think you may have discovered a vulnerability, please send us a note.