Email from Cloudflare's CEO about 'Cloudbleed'(pastebin.com) |
Email from Cloudflare's CEO about 'Cloudbleed'(pastebin.com) |
This should be rewritten: Any data sent to or from users of your website during the time the bug was live is potentially cached permanently. This includes all session identifiers, passwords, email addresses, and PII that was sent or received by your website. We recommend immediately rotating session secrets to prevent session hijacks using this data, notifying all you customers and forcing password resets.
In my opinion, you are correct. Cloudflare is making it sound a little too clean.
If you claim to be a company that takes security seriously: zero
This is maximum levels of shit hitting fans. All their customers are potentially impacted, some horrifically so. They need to alert them immediately with red alarms blazing.