What kinds of clients are vulnerable?
Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:
1) Traditional clients are things like web browsers, apps that use HTTP APIs (everything from Dropbox to Microsoft Office), and of course many mobile apps on both iOS and Android. It might be easy to direct one of these clients to connect to a malicious server (as in the case of a web browser) or it might require a man-in-the-middle (MITM) attack to redirect a client to an evil endpoint.
2) Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable:
•Social networks that do smart things with URLs; e.g. Facebook, which fetches any URL that you type in to a status update in order to generate a preview of that URL.
•File sharing apps like image thumbnailers, image hosters, Gravatar, and anything else that can "upload" an image or other user-supplied data via a URL.
•Web spiders like the Googlebot that can stumble on a URL and index it – they can be directed to a malicious server just by linking to it.
•API consumers that allow integrations across websites. For example, Redbooth integrates with Dropbox to allow users to upload files to projects. If I can convince the Redbooth servers via MITM to send their Dropbox requests to my server, I can potentially exploit them.
•Identity federation protocols, such as OpenID and WebFinger, allow low-trust users to direct high-trust servers to arbitrary URLs that the user can control. The StackOverflow login page prompts the user for a URL that can be used to log in with OpenID – therefore, the code that StackOverflow uses to fetch that URL must not be vulnerable.
•Webhooks, which allow a user to register interest in a certain event happening and get a callback. I can tell Github that I'd like to be notified at a URL I control whenever someone pushes to a repository, and Github's agent will connect to that URL over TLS if specified.
The surface of exposed clients is potentially very broad – any code in an application that makes outbound HTTP requests must be checked against reverse Heartbleed attacks.
The important takeaway is that it's not enough to patch your perimeter hosts - you need to purge bad OpenSSL versions from your entire infrastructure. And you should keep a healthy distance between agent code that fetches user-provided URLs and sensitive parts of your systems.