d neel mehta, google security - it today · discovers the heartbleed vulnerability friday, march 21...
TRANSCRIPT
NCSC-FI Codenomicon Google OpenSSL Other providers
Neel Mehta, Google Security discovers the Heartbleed vulnerability
Friday, March 21 (or prior)
Google creates and applies patch, which is later sent to OpenSSL
Open SSL releases a patch two days earlier than originally planned.
A new OpenSSL version is uploaded. OpenSSL then publishes a Heartbleed
security advisory, and issues it via its mailing list.
Cloudflare is alerted about Heartbleed, and patches their servers
Google notify OpenSSL about the vulnerability
Google also tells OpenSSL that they have
"notified some infra-structure providers under embargo".
OpenSSL notify Red Hat, and asks them to
share details with other linux distributions
Facebook patches their servers
OpenSSL decides to push a fix on April 9 to
give time for proper processes.
Akamai patches their services
Hello, my name is
Heartbleed
Finnish Codenomicon independently discovers Heartbleed vulnerability
Codenomicon notifies National Cyber
Security Centre Finland (NCSC-FI)
April
2
April
1
March
21
March
21 - 31
April
3
April
4
April
6
April
7
NCSC-FI requests a CVE from CERC/CC
NCSC-FI notify OpenSSL about the vulnerability
Who knew of Heartbleed prior to release? Google, Cloudfare, OpenSSL, Codenomicon, Natioanls Cyber Security Centre Finland, Akamai, and Facebook.
Akamai updates its blog after the denial - prompted by Fairfax - and Akamai's blog now says an individual in the OpenSSL community told them.
Who knew hours before public release? SuSE, Debian, FreeBSD and AltLinux.
Rumours begin to swirl in open source community about a bug existing in OpenSSL, according to one security person at a Linux distribution Fairfax spoke to. No details were apparent so it was ignored by most.
Hello again, my name is
Heartbleed
Click here for
more Heartbleed
on Secunia.com