Tinc is not vulnerable to the Heartbleed bug.
The Heartbleed bug (CVE-2014-0160) is a bug in the OpenSSL library that affects any application that is linked to it and is making or accepting TLS connections. Although tinc links to the OpenSSL library, it does not use the TLS protocol, and is therefore not vulnerable.