Submission + - Developer Who Introduced 'Heartbleed' Flaw Denies He Inserted It Deliberately
Hugh Pickens DOT Com writes: Ben Grubb reports that German software developer Robin Seggelmann says he did not insert the "Heartbleed" flaw deliberately as some have suggested. "It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area. It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," says Seggelmann. "I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length." After he submitted the code, a reviewer "apparently also didn’t notice the missing validation," Seggelmann added, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson. Despite denying he put the bug into the code intentionally, Seggelmann says it was entirely possible intelligence agencies had been making use of it over the past two years. "It is a possibility, and it's always better to assume the worst than best case in security matters." If anything has been demonstrated by the discovery of the bug, Seggelmann says it is awareness that more contributors are needed to keep an eye over code in open source software. "It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it," Seggelmann concludes. "The more people look at it, the better, especially with a software like OpenSSL."