Articles around the web have started popping up, stating that the U.S. National Security Agency knew about the Heartbleed bug for more than 2 years.
While OpenSSL is funded by an open-source community that devote their time to develop the library, NSA devote millions of dollars for hunting backdoors and exploits that can be used to their advantage in gaining intel.
Which would lead us to the question, if you knew of an exploit that YOU can use to your advantage, would you tell the world about it? Our security analysts think NOT
If a flaw could be used to gain access to confidential data that can be used to someone's advantage, in most cases, it is unlikely that this person or organization would notify anyone.
The NSA is very well known for spying on unsuspecting victims, and so it is quite believable that they have their own group of hackers and crackers that search for exploitable code, not to mention they get paid to do it!
bug was first introduced in early 2012, which highlights one of the most dangerous decisions for companies to rely on open source software development. Open-source applications and libraries may save a company thousands of dollars in development costs, but provide hackers and crackers a means to easily search for code that can be exploited.
Developers that discovered the bug made it public knowledge on April 7th 2014.
So have the NSA been using this flaw for the past several years? Your guess is as good as ours, but we would guess yes.
Leave us a comment below!