News Stay informed about the latest enterprise technology news and product updates.

Vulnerability branding becomes another marketing tool

Branding a security threat with a catchy nickname isn’t new but the practice has evolved over time. Nicknames used to be for worms or viruses (Melissa, Code Red, etc.) and most were named by those who created the code itself, like the Conficker worm or Blaster, which was a worm packaged in a file named MSBlast.exe.

More recently, the trend has been to brand vulnerabilities with punchy marketing names like Heartbleed, VENOM, and Badlock, and give them logos too. The idea with newer efforts began with creating more understanding of the issue. For example, ShellShock covered a number of vulnerabilities that affected the Bash shell, and Heartbleed related to the TLS heartbeat extension.

At first, this practice was praised because it made it easier for the population to understand a problem and arguably led to higher rates of remediation. The idea was that execs who didn’t know much about security would take interest in the patching of said flaw, raising patch rates, and branding made reporting on vulnerabilities easier. Although, even this benefit has been under scrutiny given the number of servers still vulnerable to Heartbleed.

Unfortunately, there has never been much consistency to the practice and it has begun to feel as though branding a vulnerability is marketing for the researcher (team or individuals) behind the disclosure rather than making it easier to talk about the flaw.

Some branded vulnerabilities have been legitimate security risks (Heartbleed and ShellShock); others never saw measurable numbers of exploits in the wild even with proof-of-concept exploits created (VENOM, Stagefright, GHOST or Rowhammer); and beyond both of those examples were the vulnerabilities that were serious security risks but never received branding.

The exclusion of that last group makes sense, partly because if anyone tried naming every Flash vulnerability packed into an exploit kit, they would run out of words before running out of issues, but also because, as Red Hat succinctly put it in a Venn diagram — the overlap between branded vulnerabilities and security issues that matter is not that big.

It may be easier to rally behind a threat with a name, but that doesn’t make it the most dangerous and only serves to muddy the water. And in the extreme, a vulnerability like Badlock is branded weeks before it is disclosed, breeding fear with no option for mitigation and giving criminals time to find and exploit the flaw.

Ultimately, if branding doesn’t have a clear purpose beyond marketing the research team that discloses the vulnerability, it could create more issues. At the very least, IT departments would have their time and resources wasted on lower priority flaws and at worst enterprises will be left at risk by putting resources into the wrong fixes.