It's become an almost unnervingly, common occurrence to hear about data breaches and other security issues in the news. It's important to stay up to date with security fixes as they're released to avoid issues that have a known and published remediation.
WebSphere Commerce follows the standard IBM PSIRT (Product Security Incident Response Team) Security Vulnerability Management process to handle vulnerabilities as they are reported. What this boils down to, is that when a vulnerability is discovered, the WebSphere Commerce Security team will follow industry standard best practices and publicly disclose the vulnerability by assigning it a CVE (Common Vulnerability and Exposure) identifier and publishing a Security Bulletin.
As such, it's recommended to stay on-top of these bulletins for the products you use. Here's a quick rundown on how you can get emailed automatically when a new bulletin is published.
Sign up for notifications
Login to the My Notifications tool
This is part of the IBM Support Portal – an IBM ID is required. Here you can subscribe per product to receive emails when new security bulletins are published.
WebSphere Commerce can be found here and WebSphere Application Server can be found here.
Choose to get notifications for both “Security bulletin” and “Flashes”.
While I've mentioned WebSphere Commerce and WebSphere Application Server above, it's important to point out that there's likely more to your environment than just those two products. For example – DB2 and IHS (IBM HTTP Server) may also be of interest to you. Consider other integrations as well – such as with Sterling products. Signing up for notifications for your entire IBM software stack will help you stay ahead of the game.
While these steps will keep you current on future Security Bulletins, it's also worth looking into the bulletins that have already been published. The following Technote search will also return all of the Security Bulletins that have been published for WebSphere Commerce.
Finally, Security Bulletins are only a reactive measure to site security by helping resolve new issues as they come up. As always, it's best to be proactive with your security, and this is best handled by making sure you are using the full wealth of security features that WebSphere Commerce provides – such as cross-site scripting protection, whitelist filtering, and more. Read up on the security features in the Enhancing site security page of the Infocenter.