diff --git a/CHANGES b/CHANGES
index 0ca7d49822..d24cdb31a8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,16 @@
 
+4.1.0-dev.423 | 2021-03-26 16:44:26 -0700
+
+  * GH-1454: Heartbleed: fix substraction order. (Johanna Amann)
+
+    Fixes incorrect/overflowed `n` value for `SSL_Heartbeat_Many_Requests`
+    notices where number of server heartbeats is greater than number of client
+    heartbeats.
+
+    The larger number was substracted from the smaller one leading to an
+    integer overflow. However, no information was lost due to everything
+    also being present in the notice message.
+
 4.1.0-dev.421 | 2021-03-26 16:39:22 -0700
 
   * Fix crash in Analyzer::ForwardPacket due to recursive analyzer calls. (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 278c863c3e..e7c3730eaf 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.1.0-dev.421
+4.1.0-dev.423
diff --git a/scripts/policy/protocols/ssl/heartbleed.zeek b/scripts/policy/protocols/ssl/heartbleed.zeek
index 483c1f4ce1..aabafbff14 100644
--- a/scripts/policy/protocols/ssl/heartbleed.zeek
+++ b/scripts/policy/protocols/ssl/heartbleed.zeek
@@ -154,7 +154,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
 				$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
-				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);