Everybody seems to be talking about it, and for good reason.
A lot of trusted, otherwise presumably secure services have been affected by it, so we wanted to update you right away on QuestionPro’s status with the Heartbleed vulnerability:
QuestionPro accounts are not affected.
In short, we had not implemented the update to SSL that introduced the vulnerability, as new updates can sometimes introduce vulnerabilities, just like this one did.
Here’s a more technical response from our system adminstration team:
Heartbleed (CVE-2014-0160) is aptly named and elevates security concerns for everyone. Superficially it seems we got lucky, because we stayed behind on 1.0.0 branch of OPENSSL. But the decision was based on extensive discussion in our admin community and sound principals. Since all known vulnerability fixes are back ported to non deprecated branches we decided to stay on 1.0.0 OpenSSL branch after 0.9 branch was made obsolete. In addition, our monthly vulnerability scans and monthly security audit keeps us on top of known vulnerabilities. Also no customer data is directly exposed to internet.
If you are curious about other sites and whether they are safe, here are a couple of tools that are publicly available and were mentioned on major news sites – we make no warranty for these services but thought we would pass them along. You can check any website just by entering its URL into one of those tools:
http://possible.lv/tools/hb/?sp
http://filippo.io/Heartbleed/
Now if you’ll excuse me, I have a bank account password to change…
