Heartbleed

Heartbleed

Logo representing Heartbleed. Awareness and media coverage of Heartbleed was unusually high for a software bug.[1][2]
CVE identifier(s)	CVE-2014-0160
Released	1 February 2012;12 years ago(2012-02-01)
Date discovered	1 April 2014;10 years ago(2014-04-01)
Date patched	7 April 2014;10 years ago(2014-04-07)
Discoverer	Neel Mehta[d](Google Security)[3] Riku, Antti, and Matti (Codenomicon)[3][4]
Affected software	OpenSSL(1.0.1)
Website	heartbleed

Heartbleedis asecurity bugin some outdated versions of theOpenSSLcryptographylibrary, which is a widely used implementation of theTransport Layer Security(TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation (due to a missingbounds check) in the implementation of the TLSheartbeatextension.^[5]Thus, the bug's name derived fromheartbeat.^[6]The vulnerability was classified as abuffer over-read,^[7]a situation where more data can be read than should be allowed.^[8]

Heartbleed was registered in theCommon Vulnerabilities and Exposuresdatabase asCVE-2014-0160.^[7]The federalCanadian Cyber Incident Response Centreissued a security bulletin advising system administrators about the bug.^[9]A fixed version of OpenSSL was released on 7 April 2014, on the same day Heartbleed was publicly disclosed.^[10]

TLS implementations other than OpenSSL, such asGnuTLS,Mozilla'sNetwork Security Services,and theWindows platform implementation of TLS,were not affected because the defect existed in the OpenSSL's implementation of TLS rather than in the protocol itself.^[11]

System administrators were frequently slow to patch their systems. As of 20 May 2014^[update],1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.^[12]As of 21 June 2014^[update],309,197 public web servers remained vulnerable.^[13]As of 23 January 2017^[update],according to a report^[14]fromShodan,nearly 180,000 internet-connected devices were still vulnerable.^[15][16]As of 6 July 2017^[update],the number had dropped to 144,000, according to a search on shodan.io for "vuln:cve-2014-0160".^[17]As of 11 July 2019^[update],Shodan reported^[18]that 91,063 devices were vulnerable. The U.S. was first with 21,258 (23%), the top 10 countries had 56,537 (62%), and the remaining countries had 34,526 (38%). The report also broke the devices down by 10 other categories such as organization (the top 3 were wireless companies), product (Apache httpd,Nginx), or service (HTTPS,81%).

The Heartbeat Extension for theTransport Layer Security(TLS) andDatagram Transport Layer Security(DTLS) protocols was proposed as a standard in February 2012 byRFC6520.^[19]It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time. In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at theFachhochschule Münster,implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,^[20][21][22]his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on 31 December 2011. The defect spread with the release of OpenSSL version 1.0.1 on 14 March 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable.^[3][23]

According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team privately reported Heartbleed to the OpenSSL team on 1 April 2014 11:09 UTC.^[24]

The bug was named by an engineer at Synopsys Software Integrity Group, a Finnish cyber security company that also created the bleeding heart logo^[25]and launched an informational website, heartbleed.^[26]While Google's security team reported Heartbleed to OpenSSL first, both Google and Codenomicon discovered it independently at approximately the same time.^[27][28]Codenomicon reports 3 April 2014 as their date of discovery and their date of notification ofNCSC-FI[fi]for vulnerability coordination.^[29]

At the time of disclosure, some 17% (around half a million) of the Internet's secure web servers certified bytrusted authoritieswere believed to be vulnerable to the attack, allowing theft of the servers'private keysand users' session cookies and passwords.^{[30][31][32][33][34]}TheElectronic Frontier Foundation,^[35]Ars Technica,^[36]andBruce Schneier^[37]all deemed the Heartbleed bug "catastrophic".Forbescybersecurity columnist Joseph Steinberg wrote:

Some might argue that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.^[38]

An unidentified UK Cabinet Office spokesman recommended that:

People should take advice on changing passwords from the websites they use. Most websites have corrected the bug and are best placed to advise what action, if any, people need to take.^[39]

On the day of disclosure,The Tor Projectadvised:

If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.^[40]

The Sydney Morning Heraldpublished a timeline of the discovery on 15 April 2014, showing that some organizations had been able to patch the bug before its public disclosure. In some cases, it is not clear how they found out.^[41]

Bodo Möller and Adam Langley ofGoogleprepared the fix for Heartbleed. The resulting patch was added toRed Hat's issue tracker on 21 March 2014.^[42]Stephen N. Henson applied the fix to OpenSSL's version control system on 7 April.^[43]The first fixed version, 1.0.1g, was released on the same day. As of 21 June 2014^[update],309,197 public web servers remained vulnerable.^[13]As of 23 January 2017^[update],according to a report^[14]from Shodan, nearly 180,000 internet-connected devices were still vulnerable.^[15][16]The number had dropped to 144,000 as of 6 July 2017^[update],according to a search on shodan.io for "vuln:cve-2014-0160".^[17]

According toNetcraft,about 30,000 of the 500,000+ X.509 certificates which could have been compromised due to Heartbleed had been reissued by 11 April 2014, although fewer had been revoked.^[44]

By 9 May 2014, only 43% of affected web sites had reissued their security certificates. In addition, 7% of the reissued security certificates used the potentially compromised keys. Netcraft stated:

By reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as those that have not yet replaced theirSSL certificates.^[45]

eWeeksaid, "[Heartbleed is] likely to remain a risk for months, if not years, to come."^[46]

Cloudflarerevoked all TLS certificates and estimated that publishing itsCertificate revocation listwould cost the issuer,GlobalSign,$400,000 per month that year.^[47]

TheCanada Revenue Agencyreported a theft ofsocial insurance numbersbelonging to 900 taxpayers, and said that they were accessed through an exploit of the bug during a 6-hour period on 8 April 2014.^[48]After the discovery of the attack, the agency shut down its website and extended the taxpayer filing deadline from 30 April to 5 May.^[49]The agency said it would provide credit protection services at no cost to anyone affected. On 16 April, theRCMPannounced they had charged a computer science student in relation to the theft withunauthorized use of a computerandmischief in relation to data.^[50][51]

The UK parenting siteMumsnethad several user accounts hijacked, and its CEO was impersonated.^[52]The site later published an explanation of the incident saying it was due to Heartbleed and the technical staff patched it promptly.^[53]

Anti-malware researchers also exploited Heartbleed to their own advantage in order to access secret forums used by cybercriminals.^[54]Studies were also conducted by deliberately setting up vulnerable machines. For example, on 12 April 2014, at least two independent researchers were able to stealprivate keysfrom an experimental server intentionally set up for that purpose byCloudFlare.^[55][56]Also, on 15 April 2014,J. Alex Halderman,a professor atUniversity of Michigan,reported that hishoneypotserver, an intentionally vulnerable server designed to attract attacks in order to study them, had received numerous attacks originating from China. Halderman concluded that because it was a fairly obscure server, these attacks were probably sweeping attacks affecting large areas of the Internet.^[57]

In August 2014, it was made public that the Heartbleed vulnerability enabled hackers to steal security keys fromCommunity Health Systems,the second-biggest for-profit U.S. hospital chain in the United States, compromising the confidentiality of 4.5 million patient records. The breach happened a week after Heartbleed was first made public.^[58]

Many major web sites patched the bug or disabled the Heartbeat Extension within days of its announcement,^[59]but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited.^{[citation needed]}

Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.^[60][61]Errata Security pointed out that a widely used non-malicious program calledMasscan,introduced six months before Heartbleed's disclosure, abruptly terminates the connection in the middle of handshaking in the same way as Heartbleed, generating the same server log messages, adding "Two new things producing the same error messages might seem like the two are correlated, but of course, they aren't.^[62]"

According toBloomberg News,two unnamed insider sources informed it that the United States'National Security Agencyhad been aware of the flaw since shortly after its appearance but‍—instead of reporting it‍—kept it secret among other unreportedzero-dayvulnerabilities in order to exploit it for the NSA's own purposes.^[63][64][65]The NSA has denied this claim,^[66]as hasRichard A. Clarke,a member of theNational Intelligence Review Group on Intelligence and Communications Technologiesthat reviewed the United States' electronic surveillance policy; he told Reuters on 11 April 2014 that the NSA had not known of Heartbleed.^[67]The allegation prompted the American government to make, for the first time, a public statement on its zero-day vulnerabilities policy, accepting the recommendation of the review group's 2013 report that had asserted "in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection", and saying that the decision to withhold should move from the NSA to the White House.^[68]

The RFC 6520 Heartbeat Extension tests TLS/DTLS secure communication links by allowing a computer at one end of a connection to send aHeartbeat Requestmessage, consisting of a payload, typically a text string, along with the payload's length as a16-bitinteger. The receiving computer then must send exactly the same payload back to the sender.^{[citation needed]}

The affected versions of OpenSSL allocate amemory bufferfor the message to be returned based on the length field in the requesting message, without regard to the actual size of that message's payload. Because of this failure to do properbounds checking,the message returned consists of the payload, possibly followed by whatever else happened to be in the allocated memory buffer.^{[citation needed]}

Heartbleed is therefore exploited by sending a malformed heartbeat request with a small payload and large length field to the vulnerable party (usually a server) in order to elicit the victim's response, permitting attackers to read up to 64 kilobytes of the victim's memory that was likely to have been used previously by OpenSSL.^[69]Where a Heartbeat Request might ask a party to "send back the four-letter word 'bird'", resulting in a response of "bird", a "Heartbleed Request" (a malicious heartbeat request) of "send back the 500-letter word 'bird'" would cause the victim to return "bird" followed by whatever 496 subsequent characters the victim happened to have in active memory. Attackers in this way could receive sensitive data, compromising the confidentiality of the victim's communications. Although an attacker has some control over the disclosed memory block's size, it has no control over its location, and therefore cannot choose what content is revealed.^{[citation needed]}

The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive). Subsequent versions (1.0.1g^[70]and later) and previous versions (1.0.0 branch and older) are not vulnerable.^[71]Installations of the affected versions are vulnerable unless OpenSSL was compiled with-DOPENSSL_NO_HEARTBEATS.^[72][73]

The vulnerable program source files are t1_lib.c and d1_both.c and the vulnerable functions are tls1_process_heartbeat() and dtls1_process_heartbeat().^[74][75]

The problem can be fixed by ignoring Heartbeat Request messages that ask for more data than their payload need, as required by the RFC.

Version 1.0.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. For example, the following test was introduced to determine whether a heartbeat request would trigger Heartbleed; it silently discards malicious requests.

if(1+2+payload+16>s->s3->rrec.length)return0;/* silently discard per RFC 6520 sec. 4 */

The OpenSSL version control system contains a complete list of changes.^[43]

The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties likely to be confidential, including any formpost datain users' requests. Moreover, the confidential data exposed could include authentication secrets such assession cookiesand passwords, which might allow attackers to impersonate a user of the service.^[76]

An attack may also revealprivate keysof compromised parties,^[3][77]which would enable attackers to decrypt communications (future or past stored traffic captured via passive eavesdropping, unlessperfect forward secrecyis used, in which case only future traffic can be decrypted if intercepted viaman-in-the-middle attacks).^{[citation needed]}

An attacker having gained authentication material may impersonate the material's owner after the victim has patched Heartbleed, as long as the material is accepted (for example, until the password is changed or the private key revoked). Heartbleed therefore constitutes a critical threat to confidentiality. However, an attacker impersonating a victim may also alter data. Indirectly, Heartbleed's consequences may thus go far beyond a confidentiality breach for many systems.^[78]

A survey of American adults conducted in April 2014 showed that 60 percent had heard about Heartbleed. Among those using the Internet, 39 percent had protected their online accounts, for example by changing passwords or canceling accounts; 29 percent believed their personal information was put at risk because of the Heartbleed bug; and 6 percent believed their personal information had been stolen.^[79]

Although the bug received more attention due to the threat it represents for servers,^[80]TLS clients using affected OpenSSL instances are also vulnerable. In whatThe Guardiantherefore dubbedReverse Heartbleed,malicious servers are able to exploit Heartbleed to read data from a vulnerable client's memory.^[81]Security researcher Steve Gibson said of Heartbleed that:

It's not just a server-side vulnerability, it's also a client-side vulnerability because the server, or whomever you connect to, is as able to ask you for a heartbeat back as you are to ask them.^[82]

The stolen data could contain usernames and passwords.^[83]Reverse Heartbleed affected millions of application instances.^[81]Some of the vulnerable applications are listed in the"Software applications" section below.^{[citation needed]}

Cisco Systemshas identified 78 of its products as vulnerable, including IP phone systems and telepresence (video conferencing) systems.^[84]

An analysis posted onGitHubof the most visited websites on 8 April 2014 revealed vulnerabilities in sites includingYahoo!,Imgur,Stack Overflow,Slate,andDuckDuckGo.^[85][86]The following sites have services affected or made announcements recommending that users update passwords in response to the bug:

The Canadian federal government temporarily shut online services of theCanada Revenue Agency(CRA) and several government departments over Heartbleed bug security concerns.^[111][112]Before the CRA online services were shut down, a hacker obtained approximately 900social insurance numbers.^[113][114]Another Canadian Government agency,Statistics Canada,had its servers compromised due to the bug and also temporarily took its services offline.^[115]

Platform maintainers like the Wikimedia Foundation advised their users to change passwords.^[108]

The servers ofLastPasswere vulnerable,^[116]but due to additional encryption and forward secrecy, potential attacks were not able to exploit this bug. However, LastPass recommended that its users change passwords for vulnerable websites.^[117]

TheTorProject recommended that Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL, but noted that Tor relays use two sets of keys and that Tor's multi-hop design minimizes the impact of exploiting a single relay.^[40]586 relays later found to be susceptible to the Heartbleed bug were taken off-line as a precautionary measure.^{[118][119][120][121]}

Game-related services includingSteam,Minecraft,Wargaming,League of Legends,GOG,Origin,Sony Online Entertainment,Humble Bundle,andPath of Exilewere affected and subsequently fixed.^[122]

Vulnerable software applications include:

• SeveralHewlett-Packardserver applications, such as HP System Management Homepage (SMH) for Linux and Windows.^[123]
• Some versions ofFileMaker13^[124]
• LibreOffice4.2.0 to 4.2.2 (fixed in 4.2.3)^[125][126]
• LogMeInclaimed to have "updated many products and parts of our services that rely on OpenSSL".^[127]
• MultipleMcAfeeproducts, in particular some versions of software providing anti-viral coverage for Microsoft Exchange, software firewalls, and McAfee Email and Web Gateways^[128]
• OracleMySQLConnector/C 6.1.0-6.1.3 and Connector/ODBC 5.1.13, 5.2.5-5.2.6, 5.3.2^[129]
• Oracle Big Data Appliance(includes Oracle Linux 6)^[129]
• PrimaveraP6 Professional Project Management (includes Primavera P6 Enterprise Project Portfolio Management)^[129]
• WinSCP(FTP client for Windows) 5.5.2 and some earlier versions (only vulnerable with FTP over TLS/SSL, fixed in 5.5.3)^[130]
• MultipleVMwareproducts, includingVMware ESXi5.5,VMware Player6.0,VMware Workstation10 and the series of Horizon products, emulators and cloud computing suites^[131]

Several otherOracle Corporationapplications were affected.^[129]

Several Linux distributions were affected, includingDebian^[132](and derivatives such asLinux MintandUbuntu^[133]) andRed Hat Enterprise Linux^[134](and derivatives such asCentOS,^[135]Oracle Linux6^[129]andAmazon Linux^[136]), as well as the following operating systems and firmware implementations:

• Android4.1.1, used in various portable devices.^[137]Chris Smith writes inBoy Genius Reportthat just this one version of Android is affected but that it is a popular version of Android (Chitikaclaim 4.1.1 is on 50 million devices;^[138]Google describe it as less than 10% of activated Android devices). Other Android versions are not vulnerable as they either have heartbeats disabled or use an unaffected version of OpenSSL.^[139][140]
• Firmware for someAirPortbase stations^[141]
• Firmware for someCisco Systemsrouters^{[84][142][143]}
• Firmware for someJuniper Networksrouters^[143][144]
• pfSense2.1.0 and 2.1.1 (fixed in 2.1.2)^[145]
• DD-WRTversions between and including 19163 and 23881 (fixed in 23882)^[146]
• Western DigitalMy Cloud product family firmware^[147]

Several services have been made available to test whether Heartbleed affects a given site. However, many services have been claimed to be ineffective for detecting the bug.^[148]The available tools include:

• Tripwire SecureScan^[149]
• AppCheck – static binary scan and fuzzing, from Synopsys Software Integrity Group (formerly Codenomicon)^[150]
• Arbor Network's Pravail Security Analytics^[151]
• Norton Safeweb Heartbleed Check Tool^[152]
• Heartbleed testing tool by a European IT security company^[153]
• Heartbleed test by Italian cryptographer Filippo Valsorda^[154]
• Heartbleed Vulnerability Test byCyberoam^[155]
• Critical Watch Free Online Heartbleed Tester^[156]
• MetasploitHeartbleed scanner module^[157]
• Heartbleed Server Scanner by Rehmann^[158]
• Lookout Mobile Security Heartbleed Detector, an app forAndroiddevices that determines the OpenSSL version of the device and indicates whether the vulnerable heartbeat is enabled^[159]
• Heartbleed checker hosted byLastPass^[160]
• Online network range scanner for Heartbleed vulnerability by Pentest-Tools^[161]
• OfficialRed Hatoffline scanner written in the Python language^[162]
• QualysSSL Labs' SSL Server Test^[163]which not only looks for the Heartbleed bug, but can also find other SSL/TLS implementation errors.
• Browser extensions, such as Chromebleed^[164]and FoxBleed^[165]
• SSL Diagnos^[166]
• CrowdStrike Heartbleed Scanner^[167]– Scans routers, printers and other devices connected inside a network including intranet web sites.^[168]
• Netcraft Site Report^[169]– indicates whether a website's confidentiality could be jeopardized due to a past exploitation of Heartbleed by checking data from Netcraft's SSL Survey to determine whether a site offered the heartbeat TLS Extension prior to the Heartbleed disclosure. The Netcraft Extensions for Chrome, Firefox and Opera^[170]also perform this check, whilst looking for potentially compromised certificates.^[171]

Other security tools have added support for finding this bug. For example, Tenable Network Security wrote a plugin for itsNessusvulnerability scanner that can scan for this fault.^[172]TheNmapsecurity scanner includes a Heartbleed detection script from version 6.45.^[173]

Sourcefirehas releasedSnortrules to detect Heartbleed attack traffic and possible Heartbleed response traffic.^[174]Open source packet analysis software such asWiresharkandtcpdumpcan identify Heartbleed packets using specific BPF packet filters that can be used on stored packet captures or live traffic.^[175]

Vulnerability to Heartbleed is resolved by updating OpenSSL to apatchedversion (1.0.1g or later). OpenSSL can be used either as a standalone program, adynamic shared object,or astatically-linked library;therefore, the updating process can require restarting processes loaded with a vulnerable version of OpenSSL as well as re-linking programs and libraries that linked it statically. In practice this means updating packages that link OpenSSL statically, and restarting running programs to remove the in-memory copy of the old, vulnerable OpenSSL code.^{[citation needed]}

After the vulnerability is patched, server administrators must address the potential breach of confidentiality. Because Heartbleed allowed attackers to discloseprivate keys,they must be treated as compromised; key pairs must be regenerated, andcertificatesthat use them must be reissued; the old certificates must berevoked.Heartbleed also had the potential to allow disclosure of other in-memory secrets; therefore, other authentication material (such aspasswords) should also be regenerated. It is rarely possible to confirm that a system which was affected has not been compromised, or to determine whether a specific piece of information was leaked.^[176]

Since it is difficult or impossible to determine when a credential might have been compromised and how it might have been used by an attacker, certain systems may warrant additional remediation work even after patching the vulnerability and replacing credentials. For example, signatures made by keys that were in use with a vulnerable OpenSSL version might well have been made by an attacker; this raises the possibility integrity has been violated, and opens signatures torepudiation.Validation of signatures and the legitimacy of other authentications made with a potentially compromised key (such asclient certificateuse) must be done with regard to the specific system involved.^{[citation needed]}

Since Heartbleed threatened the privacy of private keys, users of a website which was compromised could continue to suffer from Heartbleed's effects until their browser is made aware of the certificate revocation or the compromised certificate expires.^[177]For this reason, remediation also depends on users making use of browsers that have up-to-date certificate revocation lists (orOCSPsupport) and honour certificate revocations.^{[citation needed]}

Although evaluating the total cost of Heartbleed is difficult,eWeekestimated US$500 million as a starting point.^[178]

David A. Wheeler's paperHow to Prevent the next Heartbleedanalyzes why Heartbleed wasn't discovered earlier, and suggests several techniques which could have led to a faster identification, as well as techniques which could have reduced its impact. According to Wheeler, the most efficient technique which could have prevented Heartbleed is a test suite thoroughly performingrobustness testing,i.e. testing that invalid inputs cause failures rather than successes. Wheeler highlights that a single general-purpose test suite could serve as a base for all TLS implementations.^[179]

According to an article onThe Conversationwritten by Robert Merkel, Heartbleed revealed amassive failure of risk analysis.Merkel thinks OpenSSL gives more importance to performance than to security, which no longer makes sense in his opinion. But Merkel considers that OpenSSL should not be blamed as much as OpenSSL users, who chose to use OpenSSL, without funding better auditing and testing. Merkel explains that two aspects determine the risk that more similar bugs will cause vulnerabilities. One, the library's source code influences the risk of writing bugs with such an impact. Secondly, OpenSSL's processes affect the chances of catching bugs quickly. On the first aspect, Merkel mentions the use of theC programming languageas one risk factor which favored Heartbleed's appearance, echoing Wheeler's analysis.^[179][180]

On the same aspect,Theo de Raadt,founder and leader of theOpenBSDandOpenSSHprojects, has criticized the OpenSSL developers for writing their own memory management routines and thereby, he claims, circumventing OpenBSDC standard libraryexploit countermeasures, saying "OpenSSL is not developed by a responsible team."^[181][182]Following Heartbleed's disclosure, members of the OpenBSD projectforkedOpenSSL intoLibreSSL.^[183]LibreSSL made a big code cleanup, removing more than 90,000 lines of C code just in its first week.^[184]

The author of the change which introduced Heartbleed, Robin Seggelmann,^[185]stated that hemissed validating a variable containing a lengthand denied any intention to submit a flawed implementation.^[20]Following Heartbleed's disclosure, Seggelmann suggested focusing on the second aspect, stating that OpenSSL is not reviewed by enough people.^[186]Although Seggelmann's work was reviewed by an OpenSSL core developer, the review was also intended to verify functional improvements, a situation making vulnerabilities much easier to miss.^[179]

OpenSSL core developerBen Laurieclaimed that a security audit of OpenSSL would have caught Heartbleed.^[187]Software engineer John Walsh commented:

Think about it, OpenSSL only has two [fulltime] people to write, maintain, test, and review 500,000 lines of business critical code.^[188]

The OpenSSL foundation's president, Steve Marquess, said "The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."^[188]David A. Wheeler described audits as an excellent way to find vulnerabilities in typical cases, but noted that "OpenSSL uses unnecessarily complex structures, which makes it harder to both humans and machines to review." He wrote:

There should be a continuous effort to simplify the code, because otherwise just adding capabilities will slowly increase the software complexity. The code should be refactored over time to make it simple and clear, not just constantly add new features. The goal should be code that is "obviously right", as opposed to code that is so complicated that "I can't see any problems".^[179]

According to security researcherDan Kaminsky,Heartbleed is sign of an economic problem which needs to be fixed. Seeing the time taken to catch this simple error in a simple feature from a "critical" dependency, Kaminsky fears numerous future vulnerabilities if nothing is done. When Heartbleed was discovered, OpenSSL was maintained by a handful of volunteers, only one of whom worked full time.^[189]Yearly donations to the OpenSSL project were about US$2,000.^[190]The Heartbleed website from Codenomicon advised money donations to the OpenSSL project.^[3]After learning about donations for the 2 or 3 days following Heartbleed's disclosure totaling US$841, Kaminsky commented "We are building the most important technologies for the global economy on shockingly underfunded infrastructure."^[191]Core developer Ben Laurie has qualified the project as "completely unfunded".^[190]Although the OpenSSL Software Foundation has nobug bounty program,the Internet Bug Bounty initiative awarded US$15,000 to Google's Neel Mehta, who discovered Heartbleed, for his responsible disclosure.^[190]Mehta later donated his reward to aFreedom of the Press Foundationfundraiser.^[192]

Paul Chiusano suggested Heartbleed may have resulted from failed software economics.^[193]

The industry's collective response to the crisis was theCore Infrastructure Initiative,a multimillion-dollar project announced by theLinux Foundationon 24 April 2014 to provide funds to critical elements of the global information infrastructure.^[194]The initiative intends to allow lead developers to work full time on their projects and to pay for security audits, hardware and software infrastructure, travel, and other expenses.^[195]OpenSSL is a candidate to become the first recipient of the initiative's funding.^[194]

After the discovery Google establishedProject Zerowhich is tasked with findingzero-day vulnerabilitiesto help secure the Web and society.^[196][197]

• Summary and Q&A about the bugby Codenomicon Ltd
• Information for Canadian organizations and individuals
• List of all security noticesArchived19 July 2018 at theWayback Machine