How CloudFlare handled CloudBleed

Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their service. It turned out that in some unusual circumstances, they would bleed memory that contained private information.

Advertisement:

0.00003% of requests through CloudFlare had an issue potentially resulting in memory leakage with private data. When reported, they initially mitigated the issue within 47 minutes and fixed it completely within 7 hours.

They had also set up a global team at two different locations ready to work 12 hour shifts each, so the issue would be worked at 24 hours a day until fixed.

CloudFlare’s incident report on CloudBleed is awesome! I wish all companies would handle incidents like this, and publish reports like this afterwards.

Tavis Ormandy’s thread on the Project Zero’s tracker is also an interesting read, where you can follow the mitigation from his perspective.


By the way: If you want hassle-free, amazingly fast web hosting, you should check out Servebolt (affiliate link). They’ll even transfer your site for free.


There are no comments

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.