Connect with us

Hi, what are you looking for?


Network Security

OpenSSL Details Internal Handling of Security Issues

A few months after details of the Heartbleed vulnerability surfaced, OpenSSL published a document outlining the project’s various objectives. One of those objectives was met on Sunday with the release of the organization’s first security policy.

A few months after details of the Heartbleed vulnerability surfaced, OpenSSL published a document outlining the project’s various objectives. One of those objectives was met on Sunday with the release of the organization’s first security policy.

The policy provides some information on how OpenSSL handles security issues internally, and what types of organizations get pre-notifications in case serious vulnerabilities are discovered.

Security issues reported privately to OpenSSL are analyzed and rated based on their severity. The level of severity which can be low, moderate or high depends on versions affected, use cases, common defaults, but is also determined based on the team’s past experiences. OpenSSL might also contact other individuals and organizations that could be able to provide useful information for the development of patches.

Flaws that affect the openssl command line utility, ones that are difficult to exploit, or ones that rely on unlikely configurations are considered low severity issues, and they will generally be fixed immediately in the latest development versions. They might also be backported to older variants that are still supported. These types of vulnerabilities might not trigger new releases, OpenSSL said.

Moderate severity issues include client application crashes, local flaws, and bugs in protocols that are not used commonly (e.g. DTLS). Such vulnerabilities will be kept private until the next release, which will be scheduled so that it includes fixes for several such issues, the OpenSSL security policy notes.

As for high severity vulnerabilities, they refer to flaws that impact common configurations and are likely to be exploited. The list includes server memory leaks, remote code execution, and server denial-of-service (DoS).

“These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited,” OpenSSL noted.

Advertisement. Scroll to continue reading.

In general, when an update that contains security fixes is about to be released, the “openssl-announce” list will be notified and information will be provided on the release time and date, and the severity of the vulnerability being addressed. This advance notification is designed to help companies make sure that they have staff ready when the patches are published.

“For updates that include high severity issues we will also prenotify with more details and patches. Our policy is to let the organisations that have a general purpose OS that uses OpenSSL have a few days notice in order to prepare packages for their users and feedback test results,” the security policy reads.

Other organizations that don’t fit into this category might also receive pre-notifications, but this privilege may be withdrawn if they don’t provide feedback, corrections, test results, or other information that can be considered of value.

On the other hand, the OpenSSL Project points out that while everyone would like to get advance notifications, the problem is that the more people know about a vulnerability, the higher the likelihood that details about it will get leaked online.

The organization said it previously relied on third parties such as CPNI, oCERT and CERT/CC to handle notifications, but none of them were suitable.

The Heartbleed bug (CVE-2014-0160) has been the most serious OpenSSL vulnerability uncovered so far, and it’s said to have affected more than 600,000 websites. The security hole was leveraged as an initial vector in a recent attack that resulted in 4.5 million patient records stolen, reportedly by a Chinese APT group. In its latest quarterly threats report, McAfee outlined the numerous opportunities Heartbleed has created for cybercriminals.

Since Heartbleed, the OpenSSL Project has patched a total of 16 vulnerabilities in the open source library, nine of which were addressed last month with the release of versions 0.9.8zb, 1.0.0n and 1.0.1i.

Upcoming Webcast: Gaps In SSH Security Create an Open Door for Attackers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...