In January, we were alerted by one of our vendors, Karros Technologies, regarding a potential vulnerability in its email verification services. The vulnerability, discovered by a white-hat security research firm, allowed a bypass of authentication controls that could potentially allow access to areas of the back-end infrastructure, including monitoring dashboards containing customer information.
No customer data was exposed by this vulnerability, which was disclosed privately to our vendor by the security firm. The root cause of this vulnerability was fixed in the latest versions of the underlying architecture providing this service. Upon notification by the vendor, Edulog immediately requested that the services in question be 1) locked down via a temporary workaround, and 2) the at-risk architecture be upgraded to the current version to implement the longer-term fix.
Edulog formally renegotiated our contracted services with this vendor to require N-1 compliance for all major applications, with regular reporting and review to Edulog. The N-1 standard mandates all production applications be either on the most current long-term support version or the major version immediately prior. Edulog maintains a proactive stance on security and hopes to continue to implement solutions that uphold our overarching pledge to safeguard sensitive data belonging to our districts and maintain the trust of our clients.
If you have any questions, please contact your Account Manager or security@edulog.com.