Free Software Foundation statement on Heartbleed vulnerability
Using free "as in freedom" software, like OpenSSL, is a necessary first step in securing our computers, our servers, and the entire Internet. Free software guarantees users the ability to examine the code in order to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Bugs, sometimes big ones like Heartbleed affecting widely used software like OpenSSL, can occur in any code, free or proprietary. The difference is, when no one but a proprietary software company like Microsoft can see the code, or fix it when problems are discovered, it is impossible to have a true chain of trust. Everyone is helpless until Microsoft decides to act.
It's been documented that companies like Microsoft are even sharing bugs with others like the NSA without fixing them, looking the other way so that third parties can exploit the security hole. And Apple has a backdoor on the iPhone that security experts say was either caused by NSA sabotage or deliberate internal sabotage by Apple. In short, examples of proprietary software's insecurity abound.
Heartbleed is a serious security issue, and it's a good thing that OpenSSL is free software. This has allowed the bug to be identified, and fixed rapidly after being disclosed.
As for the FSF's own systems, we are upgrading them as we speak. We'd like to thank the Trisquel‡ and Debian distributions of GNU/Linux for quickly releasing updates with fixed packages.