[duongkai]

According cloudflare blog: Today a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160). We fixed this vulnerability last week before it was made public. All sites that use CloudFlare for SSL have received this fix and are automatically protected.

[1]http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerab...

[bgentry]

I think you're conflating CloudFlare, the company, and CloudFront, the AWS CDN service.

[drdaeman]

In a same manner CloudFlare had it before the disclosure, OpenSSL team should've contacted major GNU distro (Debian, Fedora, Arch) packagers privately and do the announcement as new releases hit the repos (i.e. not having a 4-8 hour window, given the bug's pretty much critical).

[001spartan]

I was under the impression that they did in fact contact package maintainers in addition to companies like CloudFlare.

[rincebrain]

Nope; package maintainers said they didn't get notified, and OpenSSL explicitly has no notification mechanism for such things. CF found out because the private entities which found the bug warned them a priori with a request to not disclose it to anyone else. See also: https://news.ycombinator.com/item?id=7549986