"Fault" is hard to assign here. And unproductive.
The architect of the DTLS heartbeat protocol and author of the relevant OpenSSL code is Dr. Robin Seggelmann. He has admitted full responsibility for the bug. Dr. Stephen Henson reviewed the code and did not notice any problem. None of the testers discovered the bug. Users did not notice a problem for over two years.
You could blame the author, but he did this work for free, for the community, and with the best of intentions.
You might assign blame to the whole OpenSSL organization, the whole open source community and the culture of coding over testing. But testing is hard, boring, and thankless. Coding is much more fun and rewarding.
You might even lay the blame at the feet of Brian Kernighan and Dennis Ritchie for providing us the C programming language which doesn't have robust bounds checking built in. But that very lack of robustness contributes to the speed and agility of the language. And its stunning popularity.
Don't focus on assigning blame. Focus on improving the systemic and organizational mechanisms in the development and testing culture that made it possible for such a bug to exist in the first place. We all benefit tremendously from people like Dr. Seggelmann, Dr. Hanson, and the OpenSSL Project, so don't throw stones at them. Figure out how you are going to help make things better for everyone.
- Hackers: Is it possible for hackers to access my computer's webcam?
- Network Security: What is password management in network security?
- Heartbleed Bug: OpenSSL Vulnerability: What is the Heartbleed Bug in OpenSSL?
- Software Bugs: Is C language more prone to bugs based on the experience of HeartBleed?
- OpenSSL: Why is the Heartbleed bug being called one of the biggest security threats the Internet has ever seen?