You’ve likely already heard about the “Heartbleed” security vulnerability affecting thousands of websites and millions of servers worldwide. I just wanted to share some quick notes here to address any questions you might have about how this affects Expensify:
- All data is secure. We’ve had no indication that this vulnerability has affected any users in any way.
- All public servers are secure. We’ve done a complete audit of all public webservers and confirmed that they do not have this vulnerability.
- All private servers have been secured. We did find one private monitoring server experiencing this vulnerability, but it does not host any customer data, nor is it accessed by customers. Regardless, it has been shut down and will be secured before being restarted.
- The https://www.expensify.com certificate has been renewed. Even though there was no indication of any wrongdoing by anybody, just to eliminate even the possibility of security risk we’ve replaced our primary HTTPS certificate.
In summary, all is well, and will remain so. Incidentally, while on the topic of security, let me remind you what we do and share some new details:
- PCI-DSS. Everything we do complies with the Payment Card Industry, Data Security Standard. This is the “gold standard” for security, created by Visa and MasterCard, and the official security standard used by banks and financial services worldwide.
- SSAE 16 SOC 1 Type II. It’s a mouthful, but we’re undergoing a comprehensive audit of all internal systems and controls. Most companies won’t care about this, but it’s important to our larger and publicly-traded customers.
- External security audit. Even before this went down, we’ve engaged an outside security firm to do a “deep dive” on our internal security design, as well as do “white hat” analysis and scanning of our systems to verify that they’re implemented correctly.
Security is at the very heart of everything we do. We think of it continuously, so you won’t need to.