Yesterday, I collected over 1,200 .GOV TLD domains and ran checks against them. Of that, 58 were affected by the OpenSSL bug, aka, Heartbleed. This morning, upon checking again, only 39 remain unpatched of that initial 58 affected.
During my testing I was able to inadvertently obtain login credentials for a particular .GOV website illustrated in the screenshot below.
I collected the .GOV domains from http://www.data.gov/. I cooked a simple bash script loop against this list and passed it to a Proof of Concept “check” tool to determine if the site was unpatched. The tool I used is https://gist.github.com/takeshixx/10107280 (python).