If you’ve been worried about the dreaded Heartbleed vulnerability that shook the foundations of the Internet last week, you can start to breathe a little easier. But not completely.

The folks at the Internet security firm Sucuri have done a systematic scan of the top million sites on the Internet as determined by Amazon’s Alexa, and according to its findings, as related in a blog post Thursday by its CTO Daniel Cid, there’s mostly good news, but some bad.

The good news is that according to its findings, the top 1,000 sites on the Web are safe. (See the Top 500 here.) They’ve been updated, their certificates and keys recreated, and they’re now safe to use, though you should probably still change your passwords just to be cautious. The top thousand includes Google, Facebook, Youtube, Pinterest, Wikipedia, Twitter, LinkedIn and Bing, as well as pretty much any other site that most of us are likely to use on a daily basis.

Perhaps even more reassuring is that within the top 10,000 sites, only 53 were found to still be vulnerable. Sucuri doesn’t reveal who they are, though statistically speaking you stand a pretty good chance of not encountering a site that’s still vulnerable among that set unless you prowl some pretty obscure corners of the Web.

The bad news, and it’s relative, is that many — about two percent — of the of top million sites are still vulnerable. That works out to more than 20,000 sites. The more popular a site, the more likely it is to have been fixed. Again, Sucuri doesn’t identify any of the culprits. By way of suggesting you check on these things yourself, it points to the Heartbleed test site here to see if a site you use is fixed or not.

Also there’s this: Sucuri detected more than 48,000 scans carried out by sites looking for other sites still affected by the Heartbleed vulnerability. Most of them, it turns out, could be traced to IP addresses on Amazon’s EC2, which is where that scanning tool at https://filippo.io/Heartbleed/ has been hosted.

Most — but not all. Some of those scans could just as easily be attackers scanning for vulnerable sites. The trouble is, it’s impossible to know. Consider yourself warned: There’s likely a few bad guys out there conducting mop-up operations, looking for vulnerable sites and hoping to catch the occasional unwary user.

For those not keeping score, the Heartbleed bug emerged last week. Essentially, it takes advantage of a flaw in OpenSSL, the security software used by about two-thirds of the sites on the Internet, and allows an attacker to randomly scoop up samplings of whatever data happens to be sitting in a computer’s memory. That can include, but isn’t limited to, user names and passwords or other sensitive data. It can also allow attackers to steal certificate keys for servers, allowing them to impersonate a legitimate server and trick users into giving up their user names and passwords. (If this is too technical, here’s the comic strip version..)

Companies affected by Heartbleed have been scrambling to patch the bug. The patch itself is trivial to install; the real work involves revoking encryption keys and certificates, creating new ones used to secure data and then nudging users to create new passwords. The problem is that doing all that doesn’t affect data that may have been stolen during attacks carried out before the bug was discovered.

Also still lingering is the role the U.S. National Security Agency may have played in allowing the bug to spread after discovering it about two years ago. Instead, according to a Bloomberg report, it exploited the bug in its spying and surveillance operations. The NSA has denied it knew about the bug before anyone else.