Email from Cloudflare's CEO about 'Cloudbleed'
pastebin.com> To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.
This should be rewritten: Any data sent to or from users of your website during the time the bug was live is potentially cached permanently. This includes all session identifiers, passwords, email addresses, and PII that was sent or received by your website. We recommend immediately rotating session secrets to prevent session hijacks using this data, notifying all you customers and forcing password resets.
What is an acceptable level of whitewashing when it comes to security incidents?
In my opinion, you are correct. Cloudflare is making it sound a little too clean.
> What is an acceptable level of whitewashing when it comes to security incidents?
If you claim to be a company that takes security seriously: zero
This is maximum levels of shit hitting fans. All their customers are potentially impacted, some horrifically so. They need to alert them immediately with red alarms blazing.