We've all heard about the HeartBleed bug. More than anything, I think that the lack of very public coordination by vendors has been troubling. I should not have to dig on a vendor's site to find out whether they had vulnerable products. Should be front page news, even if the answer is "we still don't know."
And banks... wow. I have accounts at several major banks. I checked their websites this afternoon and not a single one has a notice up about whether or not they were ever vulnerable. If they were, customers should know this, so they can choose what information they feel may have been compromised. As it stands, the customer is currently at a significant disadvantage. Why is this? Admitting you were following best practices is a good thing. There's no shame in being vulnerable to a zero day bug. There is shame in hiding this fact from your customers who might want to change passwords (not a bad idea anyway) or even do something more drastic like change account numbers.
So, does anyone know of any banks out there that have publicly disclosed whether they were vulnerable? Has anyone given the "all clear"? What's the status of the security of my accounts, and why am I having to guess.
If you check a bank site, leave a note here (or DM me on Twitter) with the name of the bank so we can keep a running list of who is and isn't notifying customers about HeartBleed status.