Partner support policy

Sansec has got your back! While our primary objective is to help you prevent any security issues, sometimes an incident slips through. Should your team be unable to resolve it, we provide specialized tier 3 assistance to all of our ecommerce partners with an eComscan agency license.

Effective resolution

To help you in the best possible way, here are some guidelines.

For stores that are covered by your agency license, our assistance is free of charge up to 1 hour per incident. Additional assistance is available pending our availability and your explicit confirmation, and is charged at EUR 300/hour.

In principle, Sansec provides tier 3 support to partners, not to merchants. We are happy to be CC'd in any communication with your customer, but we kindly ask you to remain the primary contact for your customer.

Sansec specializes in complex cleanups and root cause analysis. Sansec does not provide generic code reviews or pentests. For that, we recommend to engage a specialized development agency.

When engaging us, please provide the following information:

1. Provisional incident timeline. When was the issue discovered, how and by whom? When was the last time the store was likely secure and how have you reached this conclusion? Have there been other security incidents in the previous 12 months and how were they resolved? Have any known security vulnerabilities been resolved in the previous 6 months? Please provide timestamps (UTC/GMT) of all events, such as suspect transactions, external notifications and possible remediation by you or your customer.
2. Evidence Please provide a copy of already detected malware. If unavailable, please restore a copy from a recent backup. Do not remove, move or alter any suspect code, as it will destroy relevant timestamps. If you publish atomic releases after the incident, please retain a copy of the previously affected release(s).
3. Log data Please ensure access to at least the previous 6 months of web server access logs. With some ISPs (such as Nexcess) you need to request this from their support team, and retrieval may take up to 3 days.
4. eComscan report Please provide a relevant, full ecomscan report that was produced using the --deep -m0 options.
5. Code integrity Please review a diff of the production code against a trusted secure copy from version control. If version control is not available, you could use our Magento Corediff tool to identify unauthorized changes.
6. Admin review Please ensure that any (Magento/Wordpress/...) admin panels have not been accessed by unauthorized IPs in the past 6 months. In order to establish this, you may need to request a list of authorized IPs from the customer.
7. Sansec SSH access Please grant us temporary SSH access to the compromised server and access logs (read-only access suffices). Send us the user/port/hostname where we should connect.

Upon receiving your request at [email protected], we aim to deliver a verdict or solution within two working days (usually much faster).

Critical alerts for our partners

We send out occasional alerts to our partners about critical issues. They may contain WAF filter rules or specific 0-day mitigation strategies. Our aim is to help you deflect emerging mass scanning attacks, and make sure you can communicate pro-actively with your customers. Let us know the specific email addresses that we should include. Role-based email addresses are recommended (eg security@).