On this page we present the chronological order in which we assessed the “Log4Shell” vulnerability

Timeline

11th December 2021 (Saturday)
We were made aware of a vulnerability (CVE-2021-44228) in Log4j2 on Saturday. The engineering team immediately scanned all our source code for dependencies on Log4j2. None were found, and source code history shows that the last dependency on Log4j was removed in late 2014, and we never used Log4j2. Our product is thus not directly affected by this vulnerability.

13th December 2021 (Monday)
A PoC (Proof of Concept) attack example was shared internally to ensure the whole engineering team fully understands the exploit and how to test for it. This reduces the risk of the vulnerability, or a similar vulnerability, accidentally being introduced in the future.

We reached out to all of our subprocessors to obtain a statement from them. While we don’t share any user-generated content like reviews, feedback or objectives with subprocessors, some of these do process other sensitive data for us, like customer relationship information. We received immediate information that two of our most crucial subprocessors (Hubspot and Appcues) were not affected either, and we are still waiting to hear back from Chargebee, Helpscout, Stripe, Sendinblue and Sendgrid.

14th December 2021 (Tuesday)

We received confirmation from Chargebee and Stripe that they also weren’t compromised.

General security information

Security is very important to us. We were luckily not affected by this particular vulnerability,  but we continue to stay on top of the latest security news and respond quickly as we’re made aware of potential other vulnerabilities. On top of recently having done a security audit using a renowned external company, we also run a program on Hackerone where security researchers continuously test our application for vulnerabilities. Security is something that we have always prioritized, and we will continue to do so. You can read more about our security approach on our security overview page.