Nmedia - Fotolia
Risk & Repeat: Is vulnerability marketing problematic?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss vulnerability marketing and compare how the recent KRACK attack and ROCA flaw were publicized and promoted.
Should security vulnerabilities be marketed like products? That was the question after two major security flaws brought to light last week -- the KRACK attack and the ROCA flaw -- offered a contrast in the practice of vulnerability marketing.
While the KRACK attack, which exploits a vulnerability in the WPA2 protocol, received more marketing and media attention, some infosec experts argued the ROCA flaw, which affects RSA encryption in Infineon Technologies chips, was equally, if not more serious than KRACK.
Both vulnerabilities were discovered primarily by security researchers at universities, not by vendors. Yet, ROCA appeared to have taken a backseat to the KRACK attack; the latter discovery benefited from vulnerability marketing efforts, which included a dedicated website and promotional efforts to raise awareness of the WPA2 flaw.
What are the potential drawbacks of vulnerability marketing? Should the researchers that discovered the ROCA flaw have done more to promote their findings, or is the infosec community treating vulnerabilities too much like products? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.