He did because this is the worst internet bug in the past 10 years, not because the page was so masterfully written. Private keys and user passwords/data being disclosed will be cared about by systems administrators even without such a fancy page.
It is not the worst Internet bug in the past 10 years.
It's among the most widespread Internet bugs, but:
* An identical bug impacted nginx a few years ago
* A far worse bug impacted Debian (when they commented out the randomness in their CSPRNG), which coughed up code execution on tens of thousands of machines; lots of companies that didn't officially deploy on Debian still had a Debian box somewhere vulnerable
* The Rails YAML bug was perniciously exposed in lots of places for months after the initial disclosure, and also coughed up code execution
Losing authenticators for "live" users and TLS private keys is bad, but it's not the kind of bad where you invariably need to nuke your servers from orbit and rebuild. Other widespread bugs were actually like that.
This bug is on 70% of systems and ANYONE can run a python script and pull out plaintext Paypal or bank passwords. It is the worst Internet bug perhaps ever.
I don't know a single vulnerability researcher who agrees with that statement. But you also didn't marshal any evidence; you restated the first thing I said about the bug, and then effectively said "no, you're wrong".
That's my point. Systems administrators will fix security bugs regardless. So there's not really any negative impact on how Heartbleed was "marketed" besides making their job a little bit harder.
I think that cost is outweighed by the significant increase in exposure.
I'm not saying to make it difficult for people to understand the root cause. We should strive for both. But if I had to choose one over the other I think for a bug this big that marketing it as such wins.
Systems administrators WILL NOT invariably fix security bugs no matter what. They'll apply patches as they are made conveniently available, and during maintenance windows. This bug demanded a faster remediation, and a more consistent one, than most bugs do.
Normally, to get out of the standard sysadmin patch rut and into an expedited state, your bug needs to convincingly cough up code execution. Since this bug didn't do that, but was nonetheless very severe, it makes perfect sense to me that additional marketing was required to expedite fixes.
