Security Center

We are committed to maintaining the security of our systems and our customers’ information. Outlined below are key elements of our security practices. See the bottom of the page for more details about these items:

• Hosting facilities are SSAE16-compliant (SOC2 level).
• Backups performed & tested regularly and are stored in multiple secure locations.
• Separation of duties enforced (least privilege Opens a new window ).
• We utilize separated encrypted databases for personally identifiable information storage and processing.
• User credentials are never stored in plain txt (industry std. BCRYPT hashing).
• All traffic is TLS-encrypted in-flight.
• Device credentials are always kept local.
• Daily infrastructure security scans (industry std. scanners).
• We implement 3rd party penetration tests at a minimum of one per year.
• Application source code is regularly scanned for vulnerabilities.
• We have a Security Incident response team to quickly fix major vulnerabilities and communicate with those affected.

We use TLS / HTTPS

We use industry-standard Hyper Text Transfer Protocol (HTTP) over Transport Layer Security (TLS), or more simply HTTPS, on our website and across our applications. This creates a secure network communication link between client and server and protects all the data transmitted over the connection.

Secure hosting environment

Our data center is staffed 24×7 by trained security guards, and access is authorized strictly on a least-privilege basis (meaning that people are granted the minimum user rights as necessary to do their job). Electronic surveillance and multi-factor access control systems are utilized.

We store data within the US. Specifically, we use datacenters located in Austin, TX and Northern Virginia. We may also utilize major cloud hosting service providers for particular services.

Offsite backups

We take hourly offsite backups of all critical application data.

Security testing

Spiceworks has an internal team that focuses on security. We run internal vulnerability scans and fix issues as they are found. In addition, we routinely have outside companies perform penetration testing. Finally, we work with external vulnerability disclosure companies to proactively look for new security vectors.

Responsible disclosure

We rapidly investigate all reported security issues. Refer to the “Reporting Security Issues” section on this page if you’ve discovered a security bug. We request that you do not publicly disclose the issue until we can address it.

Security center

Spiceworks maintains a Security Center so that users can be kept up-to-date with security disclosures and impacts – https://spiceworks.com/support/security-center

Reporting Security Issues

We value those who take the time and effort to responsibly report security vulnerabilities according to the guidance here: https://bugcrowd.com/ziffdavis-vdp-pro.

If you believe you have found a security vulnerability relating to Spiceworks systems or products please submit a vulnerability report via https://bugcrowd.com/ziffdavis-vdp-pro. We use this platform to triage, validate, and respond to responsibly disclosed vulnerability reports.

In your report please include the following details:

• The location of the vulnerability (or the endpoint or URL with the vulnerability), which may require the software product name, version, and platform or the website address where the vulnerability can be observed.
• A brief description of the type of vulnerability, for example; “XSS vulnerability on <domain name>”.
• Steps to reproduce the vulnerability. These should be a benign, non-destructive, proof of concept.

For the protection of our users, we generally do not discuss or confirm until a full investigation is complete and any necessary patches or releases are available. Any vulnerability issue disclosed in a public forum in the community may be moved to a private section until we’ve completed an assessment.