HeartBleed is the name given to a bug/vulnerability discovered recently in OpenSSL’s implementation of the HTTPS/TLS protocol. It allows remote attackers to obtain potentially sensitive information (up to 64KB at a time) using specially crafted packets that trigger a “buffer over-read”. It can potentially expose passwords, usernames, private keys, and other sensitive information.

HotDocs is not affected directly, since

1)  No HotDocs Software relies directly on OpenSSL libraries or code.

2)  HotDocs Server is always deployed on Windows-based servers, where OpenSSL is not present by default.

3)  HotDocs Server is typically deployed in combination with the IIS web server, which does not (by default) rely on OpenSSL.

4)  HotDocs Server is often deployed behind firewalls, where HeartBleed attacks are not likely to be as prevalent anyway.

5)  HotDocs Cloud Services is public-facing, but again has no reliance on OpenSSL and is therefore not vulnerable to the HeartBleed bug.

The only potential vulnerability we’re aware of would be IF someone deployed HotDocs Server on a public-facing Windows server (i.e. a server not otherwise protected from public attack behind a firewall) that was running a web server besides IIS (such as Apache), configured to use HTTPS via Windows-based OpenSSL.  In this case, it is the web server software on that machine that (so long as it remains unpatched) may be vulnerable to the HeartBleed bug; in this case, it would be possible for HotDocs-related data (answer collections, etc.) to be among the data that is exposed to a potential attacker.

In summary, we do not believe that the HeartBleed vulnerability affects HotDocs directly, and it is unlikely to impact our customers’ use of HotDocs except as in the relatively uncommon situation outlined above.