Like other similar bugs found recently — including one in Apple’s mobile and desktop devices — the Heartbleed flaw had gone unnoticed for years. As far as researchers can tell, the problem was introduced by a programmer making a routine coding change on New Year’s Eve in 2011. OpenSSL, the system in which the error was found, is an open-source program, which means that its code resides online and can be amended by anyone. In theory, such code is supposed to be more secure from bugs than a closed system; with enough programmers checking the code, the flaw should have been quickly detected.

Image "Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten of Princeton. Credit... Eva Russo/Momenta Creative

But apparently that did not happen. “There just weren’t enough eyeballs on this — and that’s very bad,” Mr. Green said.

One problem might be basic economics. Many huge Internet companies depend on free technologies like OpenSSL to run their systems, but they don’t always return resources to the small teams that create the code. “If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won’t happen again,” Mr. Green said.

Unlike other potentially dangerous corners of modern life, like aviation or health care, the tech industry is unusually volatile. The companies that run the show today will inevitably be usurped by newer ones that offer supposedly better ways of doing things. Such constant upheaval makes industrywide coordination on security more difficult.

“I’m not sure there’s any other industry that handles as much change and as much usage in such a short amount of time,” said Kurt Baumgartner, a researcher at Kaspersky Lab, a digital security firm. Still, Mr. Baumgartner contends that the field is getting better. Compared with the slow, haphazard way that companies once responded to security threats, the industry’s response to Heartbleed was “pretty responsibly coordinated,” he said. Many large companies fixed their services before the problem was disclosed. “On the whole, things have been improving.”

But is it improving enough to keep up with an increasingly determined set of attackers? According to a recent study by Risk Based Security, a threat research firm, there were more than 2,000 data security breaches in 2013. The good news is that the number of intrusions was down from 2012, when more than 3,000 episodes were reported. The bad news is that the smaller number of attacks in 2013 resulted in more damage — about 814 million data records were exposed during the year (including the credit card you used at Target), about twice as many as in any other previous year on record.