Heartbleed

Heartbleed (CVE-2014-0160) was a buffer over-read vulnerability in the TLS heartbeat extension implementation of OpenSSL, disclosed publicly on April 7, 2014. The bug was introduced in a commit on December 31, 2011 and shipped in OpenSSL 1.0.1 (March 2012), meaning vulnerable code ran on public infrastructure for approximately two years before discovery. The flaw was conceptually simple: a heartbeat request included a length field that the server trusted without validating against the actual payload size. By sending a request that claimed a long payload but supplied a short one, an attacker could induce the server to copy and return up to 64 KB of adjacent process memory per request. That memory frequently contained TLS private keys, session cookies, passwords, and other secrets. Exploitation left no distinctive traces in normal server logs. Heartbleed was independently discovered by a Google engineer (Neel Mehta) and a team at the security firm Codenomicon, who coordinated disclosure and built the heartbleed.com site that gave the bug its name and bleeding-heart logo. Because OpenSSL underpinned HTTPS on a large share of public web servers at the time, the response required essentially the whole web to patch, reissue certificates, and revoke old ones. The episode became the canonical counter-example to Linus's Law — the claim that open source's wide visibility makes bugs shallow. The vulnerable code had been openly readable for two years, but OpenSSL at the time was maintained by a tiny underfunded team and reviewed by very few security-literate eyes. Heartbleed directly motivated the formation of the Core Infrastructure Initiative by the Linux Foundation to fund critical open source security projects.