Tag Archives: disclosure

Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process

I wasn’t aware that only a handful of companies were notified of the vulnerability before it was published.  That is not best practice.

Via Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process:

NEWS ANALYSIS: The decade’s most serious security issue was packaged and branded, but many server administrators and service providers were left in the dark.

[…]

Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on April 7 prior to the public advisory from OpenSSL.

CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug. Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling on April 7 to patch servers.

Tripwire has a free tool to scan your environment for Heartbleed-vulnerable devices and apps.  Find it here, and good luck!
http://www.tripwire.com/state-of-security/vulnerability-management/how-to-detect-the-heartbleed-openssl-vulnerability-in-your-environment-2/

Patch quickly, patch often.