
Email from Cloudflare's CEO about 'Cloudbleed' - JOfferijns
http://pastebin.com/4aRZZGzh
======
koolba
> To date, we have yet to find any instance of the bug being exploited, but we
> recommend if you are concerned that you invalidate and reissue any
> persistent secrets, such as long lived session identifiers, tokens or keys.
> Due to the nature of the bug, customer SSL keys were not exposed and do not
> need to be rotated.

This should be rewritten: _Any data sent to or from users of your website
during the time the bug was live is potentially cached permanently. This
includes all session identifiers, passwords, email addresses, and PII that was
sent or received by your website. We recommend immediately rotating session
secrets to prevent session hijacks using this data, notifying all you
customers and forcing password resets._

~~~
audeyisaacs
What is an acceptable level of whitewashing when it comes to security
incidents?

In my opinion, you are correct. Cloudflare is making it sound a little too
clean.

~~~
koolba
> What is an acceptable level of whitewashing when it comes to security
> incidents?

If you claim to be a company that takes security seriously: _zero_

This is maximum levels of shit hitting fans. All their customers are
potentially impacted, some horrifically so. They need to alert them
immediately with red alarms blazing.

