Platform Trust Center

Overview
Overview

SECURITY NOTICE about the recently disclosed Log4j vulnerabilities, posted on Trust Center Updates, below (click to expand) BigCommerce's core Software as a Service (SaaS) offering is a cloud-hosted online storefront, a cloud hosted checkout process, and a back-end administration portal for merchants to manage customers, products, orders, and other standard business operations, as well as Application Programming Interfaces (APIs) to support these processes.

BigCommerce has implemented best-in-class security practices to keep customer data safe.

Compliance
Compliance

CCPA Logo
CCPA
GDPR Logo
GDPR
ISO 27001 Logo
ISO 27001
PCI DSS Logo
PCI DSS
Privacy Shield Logo
Privacy Shield
17 Documents
Network Diagram
Pentest Report
Security Whitepaper
Vulnerability Assessment Report
GDPR
ISO 27001
PCI DSS
Privacy Shield
CAIQ
Acceptable Use Policy
Access Control Policy
Business Continuity Policy
Data Classification Policy
Encryption Policy
Information Security Policy

Risk Profile
Risk Profile

Data Access LevelRestricted
Impact LevelSubstantial
Critical DependenceYes
View 2 More Items

Product Security
Product Security

Role-Based Access Control
Audit Logging
Data Security
View 4 More Items

Reports
Reports

Network Diagram
Pentest Report
Vulnerability Assessment Report
View 1 More Item

Completed Forms
Completed Forms

CAIQ

Data Security
Data Security

Access Monitoring
Backups Enabled
Data Erasure
View 3 More Items

App Security
App Security

Bug Bounty
Code Analysis
Software Development Lifecycle
View 3 More Items

Access Control
Access Control

Data Access
Logging

Infrastructure
Infrastructure

Google Cloud Platform
Infrastructure Security
Separate Production Environment

Security Grades
Security Grades

Qualys SSL Labs
  • login.bigcommerce.com
    A+

Endpoint Security
Endpoint Security

DNS Filtering
Endpoint Detection & Response
Mobile Device Management
View 1 More Item

Network Security
Network Security

Firewall
IDS/IPS
Virtual Private Cloud

Corporate Security
Corporate Security

Email Protection
Employee Training
Incident Response
View 1 More Item

Policies
Policies

Acceptable Use Policy
Access Control Policy
Business Continuity Policy
View 3 More Items

Trust Center Updates

SECURITY NOTICE: about the recently disclosed Log4j vulnerabilities

Published at 12/28/2021, 5:09 PM

SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.

There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.

BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.

What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.

Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.

Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store