Trust Center

To all Veracode Customers,

On the morning of November 18, 2025, our services were impacted by the Cloudflare
service disruption. In response, Veracode immediately engaged Cloudflare, continued to
monitor restoration of their services, and evaluated contingency plans.

Cloudflare identified and implemented a fix by 9:42 AM EST. As a result, Veracode services
were immediately restored.

While we do not anticipate any further disruptions, we will continue to monitor our systems
and provide timely updates as more information becomes available. If you have any
questions or require additional details, please reach out to your designated Veracode
customer success representative.

Sincerely,

The Veracode Team

To all Veracode Customers,

On October 20, 2025, our services were impacted by a third-party outage. In response, we immediately launched a comprehensive review of our systems, initiated enhancements, and are evaluating additional resiliency safeguards. As part of this initiative, we proactively renewed Veracode’s root certificates across core systems used for securing internal service-to-service communication. This operation, though briefly disruptive, is a critical part of maintaining the security and resiliency of our infrastructure. The renewal process began on November 3, 2025, and is expected to be completed by the close of business on Friday, November 7, 2025. While we do not anticipate any further disruptions, we will continue to monitor our systems and provide timely updates on Veracode's status page.

We recognize the timing of today’s interruption, coming amid widespread discussions of reliability following recent third-party outages, and we understand how sensitive and disruptive such interruptions can be. We sincerely apologize for the impact this may have had on your operations. We deeply appreciate your patience and continued trust as we continue to build a more resilient, secure infrastructure for all our users.

Sincerely,

The Veracode Team

To all Veracode Customers,

We'd like to provide additional clarity around the recent service disruption. The issue originated from a broader Amazon Web Services (AWS) infrastructure event that affected many organizations. While Veracode's own platform remained secure, our services experienced temporary unavailability due to dependencies on AWS infrastructure.

The Veracode platform has been fully operational since October 20th at 9:43 p.m. EST. Our teams continue to closely monitor system performance to ensure stability and reliability across all services.
We appreciate your patience and partnership as we navigated this industry-wide event and remain committed to providing the secure, reliable service you expect from Veracode.

Sincerely,
The Veracode Team

Update: Veracode’s impact from the AWS outage has been mitigated. The Veracode platform is fully operational. Our engineers are closely monitoring our systems.

To all Veracode Customers,

Earlier today, Amazon Web Services (AWS)—the cloud infrastructure provider that hosts portions of the Veracode environment—experienced a major outage in its US-EAST-1 region. This widespread incident affected numerous global services, including several components that support Veracode’s operations.

As a result, some customers may be experiencing intermittent connectivity or delayed responses from our platform.
We want to be clear that this is not a Veracode software or product issue; the disruption stems from AWS infrastructure dependencies impacting many technology providers worldwide.

Our engineering and operations teams are actively monitoring AWS recovery efforts and validating full service restoration across all affected components.

We will provide another update on Veracode's Trust Center at approximately 8:00 p.m. ET or sooner if the situation changes.

Thank you for your patience and understanding as we work closely with AWS to resolve this industry-wide event.

Sincerely,
The Veracode Team

Veracode’s Product Security and Security Operations teams have completed a comprehensive review of our Software Bill of Materials (SBOMs) in response to the recent malicious NPM package disclosures. We can confirm that while some of the affected packages are present in our environments, none of the compromised versions are in use. Based on these findings, there is no impact to Veracode systems, services, or customer data.

We remain vigilant in monitoring the open-source ecosystem and will reassess our exposure whenever new packages or versions are identified as malicious. In addition, Veracode’s Malicious Package Detection capabilities help proactively safeguard development pipelines by identifying compromised components before they can be introduced. This ensures stronger resilience for both our software and for the customers who rely on us.

We are aware of the active campaign targeting Salesforce environments through the Salesloft Drift integration. While we do use Salesforce, we do not use the Salesloft Drift integration that is being leveraged as the attack vector. We have conducted extensive threat hunting exercises and have not detected any indicators of compromise related to this malicious campaign.

As part of our standard security practices, we are also engaging with critical vendors to confirm remediation steps are in place, where applicable. We will continue to monitor the situation closely and provide updates as needed.