Heartbleed Disclosure Timeline Revealed 62
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
Re:Negligence (Score:4, Insightful)
Negligence? They don't owe you a fucking thing.
Also, the flaw has also existed for over two years. What does one more week hurt?
Re:Negligence (Score:5, Insightful)
Re:End result: mass panic (Score:2, Insightful)
And you also see this same type of thing in proprietary software, where tons of losers are hired to work on the code, with predictably terrible results. The thing about open source is that anyone can see the source code, and people not part of the group that wrote the code can check it, so you at least have some chance of understanding what's going on.
Anyone who claims that open source advocates claim that open source is 100% immune from all flaws is just spewing forth straw men.
Re:Negligence (Score:5, Insightful)
Re:Negligence (Score:2, Insightful)
10 days to figure out a patch that was: 1) secure 2) stable 3) well tested??? 4) passed legal?
I mean... 10 days isn't a 'long' time for a big company like this to 'find' and then 'report' a big, especially of THIS magnitude