One large company I know has a technical review system which we use frequently to root cause failure and more importantly to update systems and workflows that will avoid the cockup being discussed in future. Blaming a team or oneself is not entertained (we don't care about the who), the important question is why and what can we do to fix it.
In my opinion, I think the OpenSSL team should come up with such a document and a list of corrective countermeasures.
That's a very, very limited list of websites. It would be safer to assume that you need to reset your passwords, revoke access keys, for ALL websites you have credentials or keys on. However you should not do so until those websites have made a statement verifying that they have both patched, AND revoked their SSL certs.
True, the list was just referenced to show that everyone uses OpenSSL and that the large companies (practically every company in that list) should contribute to OpenSSL in some way.
It's pointless for Google, Yahoo et al, to enable inter-datacenter encryption if the front-end (TLS/SSL) is left wide open.
One large company I know has a technical review system which we use frequently to root cause failure and more importantly to update systems and workflows that will avoid the cockup being discussed in future. Blaming a team or oneself is not entertained (we don't care about the who), the important question is why and what can we do to fix it.
In my opinion, I think the OpenSSL team should come up with such a document and a list of corrective countermeasures.