The lessons of Heartbleed have been learned well. The open-source OpenSSL Project disclosed and patched seven security updates on June 5, and the process was markedly different from the activity that led up to the disclosure of the Heartbleed flaw in April.
One thing that has changed for OpenSSL since Heartbleed surfaced is that there is money on the table to find and fix flaws. HP’s ZDI pays security researchers for their vulnerability disclosures.
The Linux Foundation’s Core Infrastructure Initiative (CII) now has $5.4 million in funding raised in response to Heartbleed. CII is funding efforts, including OpenSSL, to help improve security. One of the CII-funded initiatives is an audit of OpenSSL by the Open Crypto Audit Project (OCAP), which has only just begun.
In the post-Heartbleed era, there will be more OpenSSL security updates, and that’s a good thing. Open-source security isn’t about pretending we live in a world without vulnerabilities; it’s about finding the vulnerabilities that exist and fixing them in a responsible manner, just like OpenSSL is now doing.