re: #15 Charles Johnson

Just to be clear, the NSA issued an unequivocal statement saying they did not know about Heartbleed.

Google unequivocally did know about Heartbleed, but withheld the information — even from the government! — until they could fix their own systems.

Tell me again why I should be less concerned about Google than the US government?

Your point stands, but it’s generally considered unethical to announce a huge security vulnerability to the world at large without first notifying the upstream source (i.e., the devs who wrote the insecure software) and giving them an opportunity to fix it — all the better if you can submit a patch yourself.

It would have been a truly dick move for Google to come out publicly and say “OH HAY GUISE, OpenSSL is FUBAR at the moment and can leak random 64k segments of whatever’s in the server’s memory to whoever sends a heartbeat signal, and by the way it’s not fixed yet so go ahead an exploit as many servers as you can. ta-ta for now!”