Richard Moulds, VP strategy, Thales e-Security
"An attacker that can access these [encryption] keys can decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed. Updating keys is expensive and time consuming and the impact of a loss can be very damaging."
Motty Alon, director of security solutions, Radware
"Heartbleed exposes the ugly side of open-source security components. In past events a vendor would pay for the collateral damages that the vulnerability created. As this is OpenSSL, there is no clear indication on who would be responsible to pay for the collateral damages of this open-source [bug]."
Brian Spector, CEO, CertiVox
"[This] underlines the vulnerability of the username and password system as a method of authentication. Username and password is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today."
Jean Taggart, senior security researcher, Malwarebytes
"It's taken security experts some time to uncover this flaw, and the discovery was likely driven by recent revelations about the systematic undermining of cryptographic solutions by some government entities. That’s caused people to more carefully scrutinize technologies such as OpenSSL."
Steve Durbin, global vice president, Information Security Forum
"All it takes is one individual or group to make the workarounds and backdoors open knowledge to further erode one of the cornerstones of secure business on the internet. The Heartbleed flaw in OpenSSL clearly demonstrates that this threat is actually here with us today."
Mike Lloyd, CTO, RedSeal
"Heartbleed has security teams everywhere scrambling. First, they want to know 'Are we vulnerable?' The answer is almost certainly “yes” based upon the fact that the open source crypto library is so widely used that it's unlikely an entire IT infrastructure will be up-to-date with the necessary patches."
Steve Pate, chief architect, HyTrust
"Not all versions of OpenSSL are affected by the latest vulnerability. The 1.0.1 and 1.0.2-beta releases have the bug and a fix has already been implemented. This is one of the benefits of an open source software project. Changes are generally easier to detect and fixes tend to come quickly."
John Miller, security research manager, Trustwave
"Although we are just finding out about this vulnerability now, it has existed for over two years. That means attackers may have already exploited the vulnerability during that time, stealing passwords, payment card information and other sensitive data without the end-user or business even realizing it.'
Tatu Ylönen, CEO, SSH Communications Security
"I would describe this as the most serious vulnerability addressing internet security, enterprise security, and user privacy in a long time. The cost of remediating the issue is substantial. The total labor and certificate renewal cost worldwide resulting from this bug could well exceed a billion dollars."