Did Google hide Heartbleed from the world?
November 25, 2014 Leave a comment
According to an Australia web site, when Heartbleed was discovered by two separate groups [Google and National Cyber Security Centre Finland], but they probably didn’t know the other discovered it.
Google discovered it on March 21st while NCSCF discovered it on April 3rd. But by the time NCSCF discovered it, Google already mentioned it to CloudFlare, OpenSSL and Codenomicon [who then registered the web site heartbleed.com a few days after the bug went public]. These companies were informed prior to the public release by Google but it seems Google did not inform other major sites such as WordPress, DropBox, Box, Tumblr, Amazon Web Services, Twitter, Yahoo and others until at or after the public release.
CloudFlare later boasts on its blog about how they were able to protect their clients before many others. CloudFlare was notified of the bug the week and made the recommended fix “after signing a non-disclosure agreement”.
It wasn’t until April 7th that the issue went public.
It seems that Google kept the vulnerability to themselves while they patched their own servers and then probably informed friends of theirs. It wasn’t really until NCSCF discovered it as well that progress towards a public disclosure would occur.
You can read the full time line here.