• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii

3

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii

3

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
Tech

On Heartbleed’s anniversary, 3 of 4 big companies are still vulnerable

Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
April 7, 2015, 11:38 AM ET
Photograph by Getty Images
Add Fortune on Google for similar content.

A year ago today, researchers disclosed a virulent computer bug that rocked the foundations of the web. The vulnerability made it possible for anyone to steal and read encrypted information off supposedly secure servers, thus undetectably compromising secret keys, usernames and passwords, and the content of Internet traffic.

Far from just a theoretical concern, Heartbleed has been blamed for the breach of 4.5 million patient records at the hospital group Community Health Systems by the alleged Chinese hacker group “APT18.” And the bug may have been exploited by others, including intelligence agencies, for years prior.

Now on the one year anniversary of Heartbleed’s announcement, a new report shows that most large companies have not fully addressed the issue. According to a scan of Forbes Global 2000 companies by the Salt Lake City, Utah-based security firm Venafi, 74% of these organizations with public-facing systems vulnerable to Heartbleed (that’s 1,642 companies) have not taken every step to remediate the problem across all servers. “That’s 1,223 of the world’s largest and most valuable businesses still exposed to attacks,” the report says.

Venafi’s vice president for security strategy Kevin Bocek likens the situation to not changing the lock on one’s home when others may have the key. “It’s disappointing,” he says, “because the steps to perform remediation were really clear.”

What are the steps? It takes roughly three to remediate the Heartbleed bug. First, patching: Updating to the latest versions of OpenSSL, the software initially found vulnerable to Heartbleed, prevents the bug from continuing to be exploited. (Every organization—thank goodness—accomplished this step, according to the report.) Second, creation of new private keys: This prevents an attacker—someone who exploited the bug prior to patching—from being able to spy on encrypted traffic between an affected host and a user. And third, reissuance of security certificates (including the revocation of old, potentially compromised certificates): This last step eliminates attackers’ ability to spoof organizations and to fool or phish their customers.

In order to steel one’s systems against Heartbleed’s hemorrhaging effects, all three steps ought to be followed. A couple of days after Heartbleed was revealed, Gartner research director Erik Heidt outlined that guidance in a blog post. He highlighted the final steps, the subject of Venafi’s findings, in particular:

Step 3: Reissue Certificates, BUT FIRST regenerate your key pairs!

The existence of this fault on a server undermines any confidence in the confidentially of keys that have been used on that server. Issuing a new certificate is necessary, but not sufficient. Many organizations perform “lazy” certificate rotations, and do not create new keys! This is a bad practice. Because this attack enables the recovery of the private key itself, certificate rotation alone will not protect you! New private keys must be generated.

The message is loud and clear: Don’t be “lazy.” Assume your crypto has been compromised, and start from scratch. Despite the counsel, Venafi’s survey found that only 15% of the more than 600,000 hosts belonging to Global 2000 companies it scanned had completed all three steps. The rest remain susceptible to Heartbleed-derived attacks.

On a call with Fortune, Heidt seems to assume a more measured stance. “It’s difficult to make a condemning statement,” he says, mentioning that for big businesses, the ones that have to invest time and money in new certificates and keys, it’s a matter of managing priorities—that means, determining which data on which servers are most worth protecting, and which ongoing attacks are most important for organizations to focus on mitigating. (Patching, on the other, is relatively easy and low-cost.)

“This gets into the kinds of risk calculus questions that actuaries love but business people hate,” Heidt says. “You can’t simply leap from ‘they didn’t do this very simple concrete behavior’ to ‘they didn’t make the right decision.'”

For Venafi, however, the matter is more black and white. The firm, which secures and protects keys and certificates, has an obvious interest in harping on the final steps of Heartbleed remediation. That’s how it makes money.

But it’s not alone in calling out organizations for not going the whole nine yards. A November study out of the University of Maryland found that “while approximately 93 percent of the websites analyzed had patched their software correctly within three weeks of Heartbleed being announced, only 13 percent followed up with other security measures needed to make the systems completely secure.” Those other security measures involve the revoking and reissuing of keys and certificates, primarily. So, Venafi’s portrait of large corporation’s public key infrastructure has been corroborated in the academic sphere.

Bocek agrees that step one—patching—should be every company’s highest priority, and he says he was “encouraged” to see the quick and immediate reaction to Heartbleed. “IT is pretty good at patching,” Bocek says. “But they’re still failing when comes to the complex incident response remediation.”

Heidt, on the other hand, places even more emphasis the importance of that critical first step. Heartbleed, he notes, is not the only vulnerability lurking in the digital wilds. He tells Fortune:

Unpatched systems continue to be the superhighway for attackers to gain access to systems. Heartbleed has an exceptionally good patch rate, but organizations need to not just be focused on vulnerabilities that get lots of media attention. Having addressed Heartbleed but having dozens of other unpatched vulnerabilities on the same machine isn’t exactly winning.

Let today’s anniversary remind you that—whether it’s step one, two, or three—when it comes to security, you shouldn’t skip a beat.

Read next: For 3 months, Hillary Clinton’s email access was unencrypted, vulnerable to spies

About the Author
Robert Hackett
By Robert Hackett
Instagram iconLinkedIn iconTwitter icon
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

Michael Burry just shorted Caterpillar’s 172% AI rally. One analyst says his bet won’t even matter
Investingstock prices
Michael Burry just shorted Caterpillar’s 172% AI rally. One analyst says his bet won’t even matter
By Marco Quiroz-GutierrezJuly 2, 2026
8 hours ago
U.S. Treasury Secretary Scott Bessent
EconomyDebt
AI’s $2.2 trillion deficit fix is already half fake, economists say
By Tristan BoveJuly 2, 2026
9 hours ago
Anthropic CEO Dario Amodei
AIEye on AI
Anthropic’s Fable model is back. But U.S. AI policy is still a mess
By Jeremy KahnJuly 2, 2026
9 hours ago
ai
North AmericaImmigration
Trump’s $46 billion ‘smart wall’ with Mexico bets on AI and scale
By Rebecca Santana and The Associated PressJuly 2, 2026
11 hours ago
sk
AISouth Korea
AI “grief videos” turn mourning into a $390 service in South Korea
By Hyung-Jin Kim and The Associated PressJuly 2, 2026
11 hours ago
Securitize CEO Carlos Domingo looks to the far right during a conference.
CryptoBlockchain
Securitize is latest crypto company to go public as BlackRock-backed firm sees stock jump 3% on debut
By Camila Grigera NaónJuly 2, 2026
11 hours ago

Most Popular

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
Big Tech
As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
By Marco Quiroz-GutierrezJuly 1, 2026
2 days ago
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
Success
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
By Sasha RogelbergJuly 2, 2026
11 hours ago
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
Success
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
By Sydney LakeJune 25, 2026
8 days ago
Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K
Success
Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K
By Orianna Rosa RoyleJuly 2, 2026
21 hours ago
Americans are escaping the U.S. for New Zealand where house prices have hit a new low—but only wealthy Americans with $3 million spare can invest
Success
Americans are escaping the U.S. for New Zealand where house prices have hit a new low—but only wealthy Americans with $3 million spare can invest
By Emma BurleighJuly 2, 2026
13 hours ago
Current price of oil as of July 2, 2026
Personal Finance
Current price of oil as of July 2, 2026
By Joseph HostetlerJuly 2, 2026
14 hours ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.