On December 10, 2021, our security personnel became aware of CVE-2021-44228, the Log4j vulnerability. We searched our source code repositories, found one that used Log4j, upgraded the library to the most recent version (2.15.0, which is not vulnerable) and deployed the change. On December 14, we upgraded again to 2.16.0, which addresses the CVE-2021-45046 Log4j vulnerability. Then on December 18, we upgraded to 2.17.0 and to 2.17.1 on December 29 which addresses CVE-2021-45105. This is consistent with our policies which call for immediate remediation of critical vulnerabilities.
WorkBoard's Information Security Program includes a vulnerability management program that complies with, and is audited annually for, ISO 27001 and SOC 2. Our vulnerability management includes regular vulnerability scans of infrastructure, source code (SAST), third-party libraries (SCA), and the running application (DAST.) Our full-time security staff monitors scan results and ensures remediation of vulnerabilities with a promptness appropriate to the severity of each vulnerability and consistent with our ISO-compliant policies. We also hire a third party to perform a penetration test of our platform at least quarterly.