After an exhaustive review, the Vision Critical Technology team has verified that no end user data was exposed as a result of the so-called "Heartbleed Bug."
What is the Heartbleed Bug? On Monday, April 7 the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability affecting a substantial number of services on the Internet, which has been widely reported to and referred to as the Heartbleed Bug.
Before going into further detail, we want to reassure our clients that the Vision Critical Technology team has verified that this vulnerability has not exposed any end user data at any point. Although Vision Critical does use OpenSSL, we can confirm that the affected versions of OpenSSL (1.0.1 and 1.0.2-beta) are not currently, nor have they been, used to host Vision Critical's SaaS products.
For more technical detail on this issue, please refer to heartbleed.com.
Vision Critical and the Heartbleed Bug
The technology group here at Vision Critical has been working hard since the vulnerability was revealed to ensure the security of our customers' data. We have reviewed all Vision Critical services for the issue and have determined that none of our services have been exposed to this vulnerability. There are, however, three areas worth elaborating on:
- Media stored in Content Delivery Networks: We use Content Delivery Networks (CDNs) to enable faster delivery of images to end users. We have confirmed that our Content Delivery Network Partners have mitigated any vulnerabilities related to the Heartbleed Bug and we are in the process of replacing SSL certificates related to our use of this service. Please note: This service only hosts media and we don't ever share client data with third parties, so no end user data was ever exposed.
- External Web Monitoring: A remote service used to externally monitor the availability of public Vision Critical services was running one of the versions of OpenSSL impacted by the Heartbleed Bug. We have confirmed that the service is no longer vulnerable - and have replaced all potentially exposed SSL certificates. Please note: This service was used for monitoring only and no end user data was ever exposed.
- Client Services: Some clients have chosen to put other services in front of or in association with the services we provide. As good members of the tech community we are reaching out in an attempt to share the knowledge we have gained about this vulnerability.
In short and to reiterate, we want to reassure Vision Critical clients and end users that they need not worry about this vulnerability having exposed any end user data hosted by Vision Critical. Although Vision Critical does use OpenSSL we can confirm that the affected versions of OpenSSL (1.0.1 and 1.0.2-beta) are not currently, nor have they been, used to host Vision Critical's SaaS products.
We mentioned above that this is an Internet wide issue. Whether you are a direct client of Vision Critical or an end user who is concerned about the services you are using, we have two handy pointers for you.
First, you can read all about the issue for yourself at http://heartbleed.com/.
If you have additional questions or concerns feel free to contact us.