There's a lot of press currently about a server security flaw that has been called Heartbleed. This flaw in some very commonly used software called "OpenSSL" allows hackers to get around security and encryption used on servers and see passwords and other sensitive data.
The flaw was publicised widely from Monday 7th April 2014 and because "OpenSSL" is a very, very widely used piece of software this has generated huge media attention, quite rightly, because so many well known websites are affected.
Reward Gateway has never used OpenSSL for encryption. We have not needed to make any patches or changes.
"OpenSSL" is installed on our servers but it does not perform the SSL encryption that is used by our service. We additionally have two "SSL Accelerator" hardware devices in front of our servers that do all of the SSL encryption on our service. These boxes have been in place since 2009, well before the Heartbleed bug was introduced. These SSL Accelerator boxes use different software and different technology and are not affected by Heartbleed. We went through a full set of tests to confirm this.
This means that there is no risk that employee data has been stolen or compromised from us as a direct result of the Heartbleed issue.
"Heartbleed" detector tools may give a false positive on Reward Gateway.
There are a number of tools, websites, and browser extensions being rushed out that help users see if a website they are visiting is affected by Heartbleed. These tools have to make a guess as to whether a server is affected by Heartbleed based on limited information that the server makes public. These tools sometimes report a false positive - they can report a server as affected when it is not. We have heard reports that some of these tools are reporting Reward Gateway as a Heartbleed affected server incorrectly. You can safely ignore this. Reward Gateway infrastructure is not affected in any way by the Heartbleed security flaw.
Users who have a Reward Gateway password that is unique to Reward Gateway need take no action.
If the password that you use to access Reward Gateway is unique and you do not use it elsewhere on other internet sites or other connected devices then you do not need to take any action.
