In the past two days I’ve received 12 emails from various online services about the Heartbleed bug and what I should do to protect myself. I wonder when the other 120 online services I subscribe to will get around to mailing me.
One of the twelve providers who contacted me explained that they did, in fact, have the vulnerability, but that everything is now patched and I need not worry myself about it. Including, as I discovered in a subsequent email exchange, not worrying about changing my password, since their architecture is “built to avoid a leak of sensitive information”. Needless to say, my trust in this particular service provider has been greatly reduced.
Dear companies-who-had-the-Heartbeat-vulnerability-and-are-saying-nothing-about it:
- It is your duty to inform customers what you’ve done about security breaches, even if it’s just to let them know everything is OK.
- If you did have this particular vulnerability, and you’ve patched it, it’s your duty to tell your customers to change their passwords, since there is no way you can know whether customer information was stolen from your servers.
- Lastly, be assured that sending a “Please change your password” email will not make you look bad in the eyes of your customers. The opposite is true: it will serve as proof of your corporate honesty, integrity, and good intentions. It’s the right thing to do.
Filed under: makers, stupid stupid stupid, technology
