

As of 11 July 2019, Shodan reported that 91,063 devices were vulnerable. As of 6 July 2017, the number had dropped to 144,000, according to a search on shodan.io for "vuln:cve-2014-0160". As of 23 January 2017, according to a report from Shodan, nearly 180,000 internet-connected devices were still vulnerable. As of 21 June 2014, 309,197 public web servers remained vulnerable. As of 20 May 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed. System administrators were frequently slow to patch their systems. A fixed version of OpenSSL was released on 7 April 2014, on the same day Heartbleed was publicly disclosed. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. Heartbleed was registered in the Common Vulnerabilities and Exposures database as CVE- 2014-0160. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed. Thus, the bug's name derived from heartbeat. It resulted from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.

Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed was a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Security company Codenomicon gave Heartbleed both a name and a logo, contributing to public awareness of the issue.
