A major security flaw that came to be known as Heartbleed injected a healthy dose of anxiety into security experts and web users alike some two months ago. Hundreds of thousands of servers around the globe were put in harm’s way yet despite the fact that a fix came relatively quickly, not everyone has bothered to implement it.

Security researcher Robert David Graham has been tracking the flaw since the beginning. By scanning port 433, he was able to determine that more than 600,000 servers were vulnerable to Heartbleed. A month later, that figure dropped to 318,239.

The most recent check, roughly two months after the discovery, shows that 309,197 servers remain unpatched. Some quick math tells us that only 9,042 servers were patched over the past month – yeah, that’s pretty dismal.

As The Verge points out, the numbers mean there are some 300,000 smaller sites that haven’t made an effort to fix the flaw. Considering that so few patched it over the last month, it’s entirely likely that a sizable section of the Internet will remain at risk for the foreseeable future.

The issue is even more pressing given the considerable mainstream news coverage it has received during the past few months. As such, unpatched servers will have an even larger target painted on their backs.

Due to the nature of the vulnerability, there’s really no way to tell how often it has been used and by how many people.