[Karunamon]

That's probably not a great idea - it just instantly confirms them as a viable future target if a bug in that particular version comes up with a hole in it later.

I'm personally okay with "We were not affected by the bug" - random internet people shouldn't have details on the software your company runs internally. One more thing for a potential bad guy to exploit.

Besides, if they'd be willing to lie about being affected, they'd be willing to lie about using a particular version of software, so nothing gained anyways.

[ryan_j_naughton]

I agree that they shouldn't publicize which specific other versions of openssl they use/used, but they should be much more forthcoming about what systems (and potentially keys) in their architecture were affected and what data such systems had.

For instance, at my work, we very explicitly said that only two internal systems, our wiki and our issue tracking system, used that version of openssl. Those systems had no user data and had a different set of certs. It is essential to give details. http://blog.taximagic.com/heartbleed/

[judk]

If they make a lie that can be proven, they invite liability ($$). If they make an unclear statement and people foolishly trust then to mean more than they say, they skate by. That's why users should always assume the vendor is being intentionally deceptive.

This is mint, for heavens sake, who do all kinds of contortions to downplay the fact that the whole service relies on the having all your passwords and banking details, instead of using their clout to push for sane Oauth-style access tokens for limited access to bank accounts.