SpiceHeads,

Last week, a user discovered a security vulnerability in our Spiceworks 7.4 Desktop application that had the potential to put our users and their company data at risk. The vulnerability was quickly closed by disabling a feature of the application, and work immediately began on a patch that was delivered on Friday. We’re fortunate that less than sixty installations were potentially impacted and none have reported being exploited.

Our mission is to build products that make your job easier and simplify your day. To do so, you entrust us to safeguard your security and your data appropriately. In this case, we let you down. Ultimately, it is my job as CTO and co-founder to make sure our technical staff does not allow mistakes to happen, or to respond quickly and appropriately if mistakes do happen. Obviously in this case a mistake happened, and we fumbled our initial response. I let you down.

We must do better. As our teams continue identifying internal and external improvements, I want to give you some early insight into the changes we’re already making and planning to make. These details are not complete, but this list serves as a guide to the areas in which we are focusing:

We’re reevaluating our development and test process to prevent issues like this before release. We recently instituted a more formal code review process within teams, but this is not enough. Next we will add code audits and test plan reviews across teams to ensure those feeling the pressures to deliver on time do not hastily miss important security details.

We’ll do a better job educating our employees to identify and escalate issues that require immediate investigation and attention. We will continue to encourage the free and open communication between our staff and you – you’ve told us how much you value and appreciate it. However, for matters like security and data integrity, our users and their data must be protected, so we’ll train our employees to escalate appropriately so that we do not misinform or create confusion.

We must centralize and improve the frequency and quality of communication on security issues. While we utilized a number of ways to inform users in this case – the community, email, support – we realize you need a single place to go where you can read accurate and authoritative details regarding security vulnerabilities. To that end, today we’re launching the Spiceworks Security Center to serve this purpose. In the Security Center you’ll be able to report vulnerabilities, find details, and learn remediation steps. We’ll also establish a new process for regular points of communication so that you can stay up-to-date if you’re ever impacted in the future.

I'd like to thank you for your help and support through all of this. From the original report to suggestions on improvements, you've helped us get better over the last week. The changes I've highlighted are just the beginning of a long road, and we're committed to once again earning your trust.

Thanks,

Francis