Trust Center

Please be advised that we have now received our 2023 SOC2 Type II report as well as our ISO27001 certificate. To access go to the documents section of the portal to download the latest documents.

As of this morning (2023-01-05) Snyk was made aware of a potential security incident (https://circleci.com/blog/january-4-2023-security-alert/) with a tool in our supply chain.

At present we have no indication of any breach of Snyk data or credentials. We are continuing to actively investigate this report.

We are currently investigating this issue.

Please visit https://status.snyk.io/ for the most up to date information related to this issue.

Further to the recent CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18, Snyk can confirm we have carried out intensive investigations and can confirm that we have seen no evidence that Snyk customers or internal employees have been targeted or impacted by this vulnerability.
Snyk will continue to monitor the situation closely and will provide updates where we have them available to us.
Snyk values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.
Sincerely,
Erica Geil
Chief Information Officer.

To whom it may concern,

​

Snyk has been made aware of the potential Okta security breach discovered and is actively assessing the situation as events unfold.

​

At the time of writing we have seen no evidence that Snyk customers or internal employees have been targeted or impacted by these events. However, we are monitoring the situation closely and will provide updates where we have them available to us.

​

Snyk values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.

​

Sincerely,

Erica Geil.

Chief Information Officer.

Further to the current Russia and Ukraine conflict and its disturbance to the people and business within that region, Snyk has carried out an investigation into the potential impact on provided services.

​

At this time, Snyk has determined that there appears to be no material impacts to our services including our supporting suppliers. Snyk will continue to monitor the situation to ensure that the appropriate risk management, cybersecurity monitoring and preparedness, and supply chain impact are assessed.

​

Should such a potential or actual service impact occur, notification will be provided to any identified impacted customers through the standard notification channel https://status.snyk.io

​

Please also see our latest blog confirming Snyk's cease of trading with Russia and Belarus. https://snyk.io/blog/snyk-ceases-business-russia-belarus/

Snyk can confirm that within 24 hours of publishing CVE-2021-44228 in our vulnerability database all services that compose Snyk’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to the latest version. We have not detected any successful attempts at exploitation of this attack vector during that time window. Snyk’s security response to events pertaining to the Log4j remote code execution vulnerability (RCE) is also strengthened by our defence in depth that leverages network-based firewalls, web application firewalls, anomaly detection with our platform environment, and is supplemented by our ongoing ISO/IEC 27001:2013 certification process and ISAE3402 SOC2 Type II annual report, available to customers on request. Today customers can also leverage the Snyk Platform to understand what steps they can take to ensure their services are also secure from CVE-2021-44228 and much more.