It’s been one week since researchers discovered a vulnerability in the Bash Unix shell, exposing millions of devices to remote-code attacks by exploiting the same common chunk of code. By now, patches have been issued and most of the major systems have been secured. The bug even got its own Heartbleed-esque moniker: Shellshock. But there’s still a lot that isn’t clear about the bug, and what went on in the brief window in which attackers could exploit the public vulnerability on unpatched systems. Given a dangerously large window of opportunity, how much damage did Shellshock do?