Skip to content

Hype, Marketing, and Unwanted Attention

Branded Vulnerabilities

In recent years we've witnessed the rise of branded vulnerabilities, including Heartbleed, Poodle, Badlock, Shell Shock, GHOST, Spectre and Meltdown.

Is a branded vulnerability more dangerous than one without? Not in any technical sense, no. Instead, what it does is draw additional attention—which can lead to vendors being forced to adjust the priority of the vulnerability cases they're working on and allocate resources toward addressing whatever vulnerability is getting the hype.

Are branded vulnerabilities good or bad for internet security?

The only good answer is the lesson of the Taoist parable of the farmer and the horse: "Maybe."

The Streisand Effect

Attempts to squash true information once it's been revealed tends not only to spread the information more widely, but also to backfire on whoever is trying to conceal it. The name, coined by Mike Masnick, comes from a case involving the removal of online photos of a famous celebrity's house. The attempt to suppress the photos only drew attention to them resulting in many more people seeing them than would have otherwise.

This scenario comes up from time to time in CVD cases. Often it takes the form of a vendor trying to suppress the publication of a report about a vulnerability in its product, with some threat of legal action if the information is released. As we've discussed previously, the knowledge that a vulnerability exists in some feature of a product can be sufficient for a knowledgeable individual to rediscover the vulnerability. The legal threats usually serve to amplify the discussion of the case within the security community, which draws more attention to the vendor and its products at the same time it demotivates reporters' willingness to participate in the CVD process. Even more problematic is that when such attention comes to focus on the vendors' products, it is very likely that additional vulnerabilities will be found—while simultaneously less likely that anyone will bother to report them to the vendor before disclosing them publicly.

Beware The Power of Spite

Vendors should not underestimate spite as a motivation for vulnerability discovery.

A vulnerability is receiving unanticipated media attention

Role(s) affected: Vendor

Phase(s): Public Awareness

Description:

  1. The vendor is aware of the vulnerability, and may have already released a fix.
  2. There is considerable media attention drawn to the vulnerability.
  3. Sometimes this is triggered by savvy marketing on the part of the Finder or Reporter
  4. Other times this attention comes about because of recent similar media stories.
  5. Often the media attention is disproportionate to the severity of the vulnerability.
  • Sometimes this is triggered by savvy marketing on the part of the Finder or Reporter
  • Other times this attention comes about because of recent similar media stories.
  • Often the media attention is disproportionate to the severity of the vulnerability.
  • Vendors and Coordinators (if any are involved) can often help their users, constituents, and the media to appropriately calibrate their concern about a vulnerability by providing a clear and accurate representation of the facts.
  • Vendors should not attempt to squash the information already available in the public sphere however. This often backfires, leading to even more publicity. It's better to let the vulnerability be the story rather than have the Vendor's response to the vulnerability become the story.

Vendor has a reputation for or history of treating reporters poorly

Role(s) affected: Reporter

Phase(s): Reporting

Description:

  1. The reporter wishes to report a vulnerability to the vendor
  2. The vendor has a history of treating reporters poorly (retaliation, threatened litigation, etc.)
  • Assuming the reporter chooses to continue pursuing the issue at all, their options include:
    • The Reporter may publish the report on their own, possibly anonymously.
    • The Reporter may attempt to engage a Coordinator to act as a neutral third party
    • The Reporter may attempt to engage a Coordinator to act as an anonymizing proxy to relay the information to the Vendor
    • The Reporter may take steps to report the vulnerability to the Vendor anonymously.
  • The CERT/CC recommends that Reporters do their best to provide Vendors with an opportunity to resolve vulnerabilities prior to public disclosure. However if the Vendor's prior behavior makes that infeasible it's our opinion that there is a benefit to public awareness of the vulnerability regardless.