That lingering Hearbleed flaw recently discovered in 200,000 devices is more insidious than that number indicates.

According to a , the first exposed in April 2014 was still found in 199,594 internet-accessible devices during a scan it performed last weekend.

But according to open-source security firm Black Duck, about 11 percent of more than 200 applications it audited between Oct. 2015 and March 2016 contained the flaw, which enables a buffer overread that endangers data from clients and servers running affected versions of OpenSSL.

The company’s vice president of strategy Mike Pittenger says it’s likely most of those machines have been remediated, but it doesn’t address the countless other applications – commercial and proprietary — Black Duck didn’t audit. “It is significant, to be sure, he says. “However, I would not extrapolate that to say 11 percent of all commercial applications were vulnerable to Heartbleed at that time.” 

.