How CloudFlare handled CloudBleed

Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their service. It turned out that in some unusual circumstances, they would bleed memory that contained private information.

0.00003% of requests through CloudFlare had an issue potentially resulting in memory leakage with private data. When reported, they initially mitigated the issue within 47 minutes and fixed it completely within 7 hours.

They had also set up a global team at two different locations ready to work 12 hour shifts each, so the issue would be worked at 24 hours a day until fixed.

CloudFlare’s incident report on CloudBleed is awesome! I wish all companies would handle incidents like this, and publish reports like this afterwards.

Tavis Ormandy’s thread on the Project Zero’s tracker is also an interesting read, where you can follow the mitigation from his perspective.