Karl Armani

As you have likely heard, a newly discovered security issue in the commonly-used OpenSSL security protocol — known as the Heartbleed bug — has caused serious concern. We are communicating this publicly to make sure that our clients and users know that Medallia is not vulnerable to the Heartbleed bug. No action is required — we are relaying this message only to assure our clients that their data remains safe with Medallia.

Here’s what’s happened at Medallia since the bug was made public: Our Operations team immediately jumped into action as soon as news of the vulnerability broke, reviewing all externally accessible infrastructure that utilizes OpenSSL in any way. This analysis determined that Medallia is not vulnerable.

Our Information Security team already conducts regular network vulnerability scans against all Medallia-owned networks and has now added a profile to specifically search for this vulnerability based on CVE-2014-0160. The scan reports have confirmed that Medallia is not running vulnerable versions of OpenSSL, but we will continue to run it daily as a precaution.

Even though client data is not at risk, Medallia will be rekeying and replacing all SSL certificates as an extra security measure. Again, if you are one of our customers, no action is required on your part.