Incident IQ


  • Home
  • |
  • Newsroom
  • |
  • Incident IQ’s Response to the Log4j Vulnerability

Incident IQ’s Response to the Log4j Vulnerability

What is the Log4j vulnerability?

The Log4j vulnerability is a flaw in a popular Java library used for logging error messages in applications. This vulnerability was discovered in early December 2021, and potentially exposes millions of devices to the risk of exploitation.

Is Incident IQ affected by the Log4j vulnerability?

The Log4J vulnerability does not directly apply to us. It is a flaw in a Java library for logging error messages in applications. Our ecosystem does not run any Java-based systems, and we don’t utilize that library anywhere in our code.

Our code, which is 99% of our application, is secure. We do depend on a few cloud services that could utilize Java within their ecosystem — and there is no way to be sure if that vulnerability is fully addressed or not. However, our major vendors (Microsoft, Apple, Amazon, & Google), are all reporting that they have mitigated the Log4j risks to their services. Along with our vendors, we will continue to monitor the situation closely.

What should K-12 districts do about the Log4j vulnerability?

K-12 districts, like all large organizations, should perform an internal assessment to determine if there are any security risks present due to the Log4j vulnerability. CISA, the Cybersecurity and Infrastructure Security Agency, has detailed guidance to determine what risks might be present in your organization.

Review the CISA Log4j Vulnerability Guidance page, and consider performing an internal audit of district systems. Check with external vendors to confirm that their systems have been mitigated against this risk.

Incident IQ’s commitment to security

At Incident IQ, we remain acutely focused on keeping our platform safeguarded against emergent threats. Our partner districts trust us to keep their critical data and systems safe, and this is our highest priority. The development team at Incident IQ will continue to monitor and communicate updates related to the Log4j vulnerability, and any other critical cybersecurity issues that emerge.