NCSC-FI Codenomicon Google OpenSSL Other providers

Neel Mehta, Google Security discovers the Heartbleed vulnerability

Friday, March 21 (or prior)

Google creates and applies patch, which is later sent to OpenSSL

Open SSL releases a patch two days earlier than originally planned.

A new OpenSSL version is uploaded. OpenSSL then publishes a Heartbleed

security advisory, and issues it via its mailing list.

Cloudflare is alerted about Heartbleed, and patches their servers

Google notify OpenSSL about the vulnerability

Google also tells OpenSSL that they have

"notified some infra-structure providers under embargo".

OpenSSL notify Red Hat, and asks them to

share details with other linux distributions

Facebook patches their servers

OpenSSL decides to push a fix on April 9 to

give time for proper processes.

Akamai patches their services

Hello, my name is

Heartbleed

Finnish Codenomicon independently discovers Heartbleed vulnerability

Codenomicon notifies National Cyber

Security Centre Finland (NCSC-FI)

April

2

April

1

March

21

March

21 - 31

April

3

April

4

April

6

April

7

NCSC-FI requests a CVE from CERC/CC

NCSC-FI notify OpenSSL about the vulnerability

Who knew of Heartbleed prior to release? Google, Cloudfare, OpenSSL, Codenomicon, Natioanls Cyber Security Centre Finland, Akamai, and Facebook.

Akamai updates its blog after the denial - prompted by Fairfax - and Akamai's blog now says an individual in the OpenSSL community told them.

Who knew hours before public release? SuSE, Debian, FreeBSD and AltLinux.

Rumours begin to swirl in open source community about a bug existing in OpenSSL, according to one security person at a Linux distribution Fairfax spoke to. No details were apparent so it was ignored by most.

Hello again, my name is

Heartbleed

Click here for

more Heartbleed

on Secunia.com