Comment Re:That is the problem. (Score 1) 30
That's not true. Script kiddies have to wait for someone to write a tool for them to use to actually exploit it. It takes a few days for these things to get out there in mass.
When an upstream has a security advisory, I have to run around in circles to get the patch out to my users and then they have to run around patching everything. That's just how it works. When you don't get enough information to make a decision, it makes it hard to know if you should risk patching. For some folks, they're in system freeze for a busy time of year or have a lot of other risks by patching something. You really need as much info as possible to make this decision sometimes.
For example, at work we have a vendor who recently told us they had a huge security issue. Anyone on the internet can change a setting and that in turn can change a link to an admin area of our product. The catch is that we never use the admin link it changes. They threatened to drop support of their product for us if we didn't patch immediately. However, we don't use that admin link. Further, the number of users in our org that uses it are on one team of 10 people. A huge risk in general does not mean a huge risk for one org.
The OpenSSL team did the right thing on their end, but there are two dimensions to vulnerabilities, the severity in terms of the software and the number of users impacted. The latter in this case, was small.