As for credit unions, most believe they are not significantly impacted by Heartbleed.

A spokesperson for $55 billion Vienna, Va.-based Navy Federal Credit Union said, "The security vulnerability called 'Heartbleed' only affects websites that use an OpenSSL, or open source encryption technology. Navy Federal continually evaluates its systems and potential vulnerabilities. We are not susceptible to this issue. Members can be assured that their accounts remain safe and secure."

At $2.2 billion Affinity Federal Credit Union in Basking Ridge, N.J., CEO John Fenton wrote in an email to CU Times that so far, Heartbleed is a non-issue at Affinity.

"We are not getting a lot of member traffic regarding Heartbleed. We have heard from all of our vendors and they have tested everything and we are not affected at Affinity."

A third perspective came from the security chief at a very large credit union who requested anonymity because he is not authorized to speak to the press. He indicated that his institution had tested its many systems and queried its vendors. The bill of health came back clean, except one minor component with the potential for Heartbleed was found. It was unplugged from the network and, although this credit union continues to investigate the matter, it presently believes that isolated flaw affected no members.

That case illustrates what makes Heartbleed so potentially worrisome: The OpenSSL tools show up in many, many components.

That means searches have to be comprehensive, and since the vast majority of credit unions rely on a great number of third-party technology vendors, those vendors must also be interrogated.

Reports from leading vendors so far are encouraging.

Menlo Park, Calif.-based Digital Insight, which provides online banking platforms to hundreds of credit unions, provided this statement: "After performing a thorough investigation, our research indicates that this vulnerability does not impact Digital Insight Online Banking websites because the encryption libraries used for Digital Insight Online Banking do not use the OpenSSL library that is the source of the vulnerability. However, we continue to investigate."

At Brookfield, Wis.-based Fiserv, Chief Risk Officer Murray Walton said in an email to CU Times his organization launched an immediate assessment when the OpenSSL vulnerability became public knowledge.

"We are confident that the steps we have taken to assess and remediate the OpenSSL vulnerability were effective, and that our clients and their members may continue to use online banking systems with full confidence in their safety and security."

Florida-based FIS, another leading financial technology company, did not respond to several requests for comment on Heartbleed.

Credit unions and their vendors may be comparatively safe from Heartbleed, but then there is the question of members. There, the skies darken with worries.

Thus far, there are no proven cases of data stolen via Heartbleed used for criminal purposes. Experts canvassed by CU Times could not point to a single example. That is not to say there are none, just that none are known.

Heartbleed is bad, but how bad is far from known. It could be more of a potential threat than an exploited one, or maybe it in fact already has been heavily exploited.