On April 15, 2014, all users of WIPO services which depend on WIPO Accounts (including ePCT and the various Madrid and Hague online services) should have received an email requesting them to reset their passwords. We would like to offer you an explanation of what this means in terms of the Heartbleed bug.
A number of WIPO's systems used an OpenSSL version which is susceptible to the Heartbleed bug. As soon as we received the warning, we immediately patched our systems and replaced our server certificates to prevent the bug from being used.
We have no evidence that any user information has been compromised, but the possibility remains that usernames and passwords were taken before the servers were patched.
Our servers were patched on April 10, 2014. Several services (including ePCT public services, Arbitration and Mediation Center applications) which perform more sensitive processing and which use only a username and password, were taken offline the following weekend until we could force a password reset, which was done April 15. It should be noted that we were confident in the continuing security of ePCT private services due to the additional layer of security from the digital certificate so these services remained available.
If you have not received the email requesting you to change your password, or if you prefer not to click on links in unsolicited email, you can begin the password change process by going to the login page and clicking on the link which you can find in the text there. This will take you to a page to begin the password reset process, which involves an email with a personalized link being sent to you. If the email has not appeared, please check your spam folders.
If you are still unable to change your password or log in, please contact the WIPO Customer Services.
Since the update to the servers, we have been receiving reports from some users of Internet Explorer 11 that they are unable to access certain services. We are investigating this problem, but for the moment can only recommend that if you are affected, you should use a different browser until the cause has been identified.
The PCT-SAFE software contained a copy of the same OpenSSL library which caused the Heartbleed bug. Our analysis is that, because PCT-SAFE does not use the specific service where the problem lies, the vulnerability cannot be used against PCT-SAFE. Nevertheless, we released on April 17 a new version of the software.
We apologize for any inconvenience. The precautions which we have taken are in line with ICT best practices evolving since the discovery of Heartbleed. WIPO gives the highest priority to the security of its applications and business services.