How CloudFlare handled CloudBleed

Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their service. It turned out that in some unusual circumstances, they would bleed memory that contained private information.

0.00003% of requests through CloudFlare had an issue potentially resulting in memory leakage with private data. When reported, they initially mitigated the issue within 47 minutes and fixed it completely within 7 hours.

They had also set up a global team at two different locations ready to work 12 hour shifts each, so the issue would be worked at 24 hours a day until fixed.

CloudFlare’s incident report on CloudBleed is awesome! I wish all companies would handle incidents like this, and publish reports like this afterwards.

Tavis Ormandy’s thread on the Project Zero’s tracker is also an interesting read, where you can follow the mitigation from his perspective.

Published by

Bjørn Johansen

Bjørn has been a full-time web developer since 2001, and have during those years touched many areas including consulting, training, project management, client support, and DevOps. He has worked with WordPress for more than 13 years, and he is a plugin author, core contributor, WordCamp speaker, WordCamp co-organizer and Translation Editor for Norwegian Bokmål.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.