Forgot your password?
typodupeerror
Security

Heartbleed Disclosure Timeline Revealed 62

Posted by samzenpus
from the when-did-you-know dept.
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
This discussion has been archived. No new comments can be posted.

Heartbleed Disclosure Timeline Revealed

Comments Filter:
  • Re:Negligence (Score:4, Insightful)

    by batrick (1274632) on Monday April 14, 2014 @06:30PM (#46751569)

    Negligence? They don't owe you a fucking thing.

    Also, the flaw has also existed for over two years. What does one more week hurt?

  • Re:Negligence (Score:5, Insightful)

    by Anonymous Coward on Monday April 14, 2014 @06:32PM (#46751585)
    Simple, to fully test and develop the patch (see: https://bugzilla.redhat.com/at... [redhat.com] ). It's much better if someone who knows of both a problem and has the ability to fix it to sit on the announcement to keep from wider exposure. This helps keep the common knowledge exploitation period to a minimum.
  • by Anonymous Coward on Monday April 14, 2014 @06:39PM (#46751619)

    And you also see this same type of thing in proprietary software, where tons of losers are hired to work on the code, with predictably terrible results. The thing about open source is that anyone can see the source code, and people not part of the group that wrote the code can check it, so you at least have some chance of understanding what's going on.

    Anyone who claims that open source advocates claim that open source is 100% immune from all flaws is just spewing forth straw men.

  • Re:Negligence (Score:5, Insightful)

    by freeze128 (544774) on Monday April 14, 2014 @06:46PM (#46751675)
    Also, April 1st is the *WORST* day to notify ANYONE that there is a severe security flaw..
  • Re:Negligence (Score:2, Insightful)

    by Anonymous Coward on Monday April 14, 2014 @07:48PM (#46752075)

    10 days to figure out a patch that was: 1) secure 2) stable 3) well tested??? 4) passed legal?

    I mean... 10 days isn't a 'long' time for a big company like this to 'find' and then 'report' a big, especially of THIS magnitude

How often I found where I should be going only by setting out for somewhere else. -- R. Buckminster Fuller

Working...