Did Google hide Heartbleed from the world?

According to an Australia web site, when Heartbleed was discovered by two separate groups [Google and National Cyber Security Centre Finland], but they probably didn’t know the other discovered it.

Google discovered it on March 21st while NCSCF discovered it on April 3rd. But by the time NCSCF discovered it, Google already mentioned it to CloudFlare, OpenSSL and Codenomicon [who then registered the web site heartbleed.com a few days after the bug went public]. These companies were informed prior to the public release by Google but it seems Google did not inform other major sites such as WordPress, DropBox, Box, Tumblr, Amazon Web Services, Twitter, Yahoo and others until at or after the public release.

CloudFlare later boasts on its blog about how they were able to protect their clients before many others. CloudFlare was notified of the bug the week and made the recommended fix “after signing a non-disclosure agreement”.

It wasn’t until April 7th that the issue went public.

It seems that Google kept the vulnerability to themselves while they patched their own servers and then probably informed friends of theirs. It wasn’t really until NCSCF discovered it as well that progress towards a public disclosure would occur.

You can read the full time line here.


About ebraiter
computer guy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: