Is the Heartbleed exploit out yet?

In short, Yes.

A list of POCs are provided below. If we’re missing anything let us know via Twitter @bugcrowd, and we’ll add it to the list and credit you for helping out.

Last update: 30 April 2014 6:07 PDT

Unless you spent yesterday and this morning under a rock you’ll have heard about a very serious vulnerability in OpenSSL yesterday.

OpenSSL is the open-source software that provides SSL capability (e.g. the “S” in HTTPS) for up to 66% of Internet connected devices. The vulnerability allows an attacker to read the memory of the vulnerable system. The important thing to remember is that memory is where an attacker is most likely to find decrypted data, like passwords and private keys.


After a vulnerability like this is disclosed there is usually a short period before an exploit (a piece of software that uses the vulnerability to do bad things, also referred to as a POC) is released. So, after all the attention Heartbleed received yesterday, the question on the minds of many is “How long until the exploit is released, what tools are available to test if I am vulnerable to this issue, and when will we see wide scale exploitation of this vulnerability in the wild?”

The answer: Yes, it’s out there in the wild right now, and was released less than a few hours after the vulnerability notice went public.

A list of Heartbeat exploit POCs is provided below.

Note: Running code from the internet, especially exploit POC code, is a really bad idea unless you know what you are doing. This list is provided without warranty and for information only. Don’t be evil.

Thanks to these contributors for updates:

If we’re missing anything, or you’d think any of the information needs to be changed, please tweet us @bugcrowd and we’ll credit you on this post as a contributor.