Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:00 PM
Bill Brenner
Bill Brenner
Connect Directly
E-Mail vvv

FUD Watch: The Marketing Of Security Vulnerabilities

I'm all for raising awareness, but making designer vulnerabilities, catchy logos and content part of the disclosure process is a step in the wrong direction.

If I’ve learned anything about vulnerability management as part of a large security operation, it’s that these things are serious business. Vulnerabilities are a threat to companies using the affected technology and – more importantly – a threat to their customers. Customers’ personal data is at stake. Trust in the affected company is on the line. We need to figure out where our systems are affected, if at all, and move fast but carefully to keep users secure.

That means investigating disclosures in a calm, cool manner. But in this age of so-called “designer vulnerabilities” – in which catchy logos and other content are used as part of the disclosure process – it’s getting more difficult to maintain one’s perspective.

In IBM’s Security Intelligence blog, writer Pamela Cobb asks, “In the age of designer vulnerabilities that come with catchy names, branded websites and custom logos, how can the security industry stop itself from falling into a trap where the marketing of security vulnerabilities is just as important, if not more so, than the risk they actually represent?”

It’s an important question.

The idea of attaching marketing campaigns to vulnerabilities may seem like a golden opportunity, but in my opinion they are misguided attempts to boost the fear factor in a situation where fear is the last thing we need.

We saw the lack of calm with Heartbleed, Shellshock, Poodle, and now Venom.

Each were disclosed the way promoters announce a boxing match or unveil a dramatic movie poster. The vulnerability is portrayed as a monster – a Godzilla-like beast intent on incinerating everything in sight with its fiery breath. Blood and explosives are worked into the theme, because if it bleeds or goes boom, it gets the headlines.

Marketers gave us a heart with blood dripping from it for Heartbleed. For Shellshock they gave us two images – one that looks like a grenade, the other a sinister take on the Shell Gasoline logo. With Venom, we have the head of a cobra, venom dripping from its fangs. Each new vulnerability is compared to the last one, usually with claims that it’s “worse than Heartbleed” or “worse than Shellshock.” Company executives see it and panic. Fire drills ensue.

I don’t think marketers behind these images are slimy or sinister. They’re doing what marketing professionals are paid to do, drawing attention to something big their company’s research teams have discovered. I can even respect the argument that marketing vulnerabilities this way raises the awareness necessary to force people into action. The researchers involved are well-respected and good at what they do. They see cracks and want them fixed, and it’s impossible to find fault with that.

In his /dev/random blog, infosec consultant and hacker Xavier Mertens notes the potential benefits of designer vulnerabilities, writing that “Such vulnerabilities are critical and affect millions of devices and, thanks to the help of their marketing presence … were also relayed by regular mass media to the general public.” Sometimes, he wrote, that mass communication was for the good. But it was also for the bad, because overplaying of FUD led to some lousy press coverage. His final point: “Speaking about major vulnerabilities to a broader audience is of course a good initiative, (but) it must be performed in the right way. “

So far, my impression is that more is going wrong with the marketing approach than right.

When a security shop gets reports of a new vulnerability and initiates an investigation, cool heads are necessary. Raise the emotional noise with an image and you affect a person’s ability to look over the issue thoroughly and completely. Too much emotion leads to mistakes. There can be an overreaction to the flaw, causing companies to tweak systems in a way that can make matters worse. And there can be an underreaction, where practitioners who have been around the block a few times see the media attention and dismiss something important as FUD.

I’m all for raising awareness. I just think there are more responsible ways to do it. We’ve seen examples of that for years. As a journalist watching for new vulnerabilities each day, I found various sites that helped me keep track of everything without the bells and whistles. If a vulnerability was severe, it was simply labeled a high risk. You got the cold facts and could swing into action.

The process worked fine before the days of scary images.

I consider myself a forward-looking guy. I like when we try new things to raise awareness.

But in this case, it doesn’t work.

Put away the fancy artwork and get serious.


Writer. Father. Husband. Blogger. History buff. Heavy Metal fanatic. Rebellious Catholic. Frequent traveler. In his day job, Brenner writes about threats to Internet security as seen from his vantage point as Senior Security Tech Writer at Akamai Technologies research center. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sara Peters
Sara Peters,
User Rank: Author
5/29/2015 | 11:05:36 AM
mixed feelings
I've got mixed feelings about the catchy names and the cool graphics. I suppose they could contribute to FUD. But, then again, it does seem to increase awareness...and yet there are plenty of organizations that are STILL vulnerable to Heartbleed, so there's still a need for even more awareness.

Ultimately, I think the responsibility is on us, the journalists. We're the ones who write the headlines. We're the ones who decide when to cover something and when not to. They might send us the press releases, but we have to decide what to do with them.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...