Subscribe to receive notifications of new posts:

Subscription confirmed. Thank you for subscribing!

The Results of the CloudFlare Challenge


Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key. The world was up to the task: two people independently retrieved private keys using the Heartbleed exploit.

The first valid submission was received at 16:22:01PST by Software Engineer Fedor Indutny. He sent at least 2.5 million requests over the course of the day. The second was submitted at 17:12:19PST by Ilkka Mattila at NCSC-FI, who sent around a hundred thousand requests over the same period of time.

UPDATE: Two more confirmed winners: Rubin Xu, PhD student in the Security group of Cambridge University submitted at 04:11:09PST on 04/12; and Ben Murphy, Security Researcher submitted at 7:28:50PST on 04/12.

We confirmed that all individuals used only the Heartbleed exploit to obtain the private key. We rebooted the server at 3:08PST, which may have caused the key to be available in uninitiallized heap memory as theorized in our previous blog post. It is at the discretion of the researchers to share the specifics of the techniques used.

This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

Heartbleed Vulnerabilities Reliability Community

Follow on Twitter

Nick Sullivan |@grittygrease
Cloudflare |Cloudflare

Related Posts