Illustration: Sarah Grillo/Axios

Heartbleed, a dangerous security hole in widely used web-security software, made its public debut five years ago this week. It proved a landmark moment for cybersecurity and, perhaps even more so, for the marketing of cybersecurity firms.

Why it matters: Heartbleed was both a security nightmare and a professionally branded marketing event, and that pairing set a new default for how security research makes its way into the world.

Background: When the security firm Codenomicon announced Heartbleed to the public, it came with a professionally designed logo and a standalone website.

  • I can't stress this enough: If there were ever a vulnerability that warranted a marketing campaign, it was Heartbleed, a flaw in OpenSSL encryption software used by millions of websites (including, at the time, Google and Facebook) that could cough up critical security or personal data.
  • Vulnerability research — the discovery of new security weaknesses in computer systems and software — sits at the nexus of cybersecurity, the practice, and cybersecurity, the business. So once vulnerability branding got started, it began to snowball.
  • Later in 2014, when a major vulnerability in the Unix Bash Shell was discovered, researcher Davi Ottenheimer joked on Twitter that the discovery was "nice. but it's not big until there's a logo." Andreas Lindh responded with a logo and a name for the bug that stuck: ShellShock.
  • Soon there was Ghost and Stagefright. Recently there has been Meltdown and Spectre. To draw attention to a bug and the researchers who discovered it, logos, websites and PR agents became de rigueur.

The catch: Branding can often overinflate less severe bugs. That might be smart marketing, but it's a problem for people trying to fix what's important.

  • "People do prioritize [fixing] branded vulns when they don’t have a mature prioritization process," said Chris Wysopal, co-founder and CTO of Veracode. "They do this because if they get asked a question about it from customers or partners, they want to be seen as on top of the issue.”

The ethics can get hazy. There have been instances of overhyped branded vulnerabilities apparently being marketed to manipulate stock prices, or vastly overstated vulnerabilities shifting the security conversation.

  • "I think many people wish that 'vuln branding' had never become a thing," said Cris Thomas, global strategy lead for IBM's security audit team X-Force Red. "It reeks of marketing, salesmanship and pop culture, and all those things you don't want serious critical things to become."

The big picture: The obvious alternative to using clever names would be to use the ID numbers registered in vulnerability databases.

  • Microsoft lists vulnerabilities it is aware of with the letters MS followed by a numeric code. The National Vulnerability Database does the same with the letters CVE.
  • In all fairness, it's much easier to discuss a bug named "I am root" than to worry you've mistaken CVE-2019-0123 for CVE-2019-0132.
  • Neat idea that'll never happen: In 2015, a blogger for Fortinet suggested adopting World Health Organization naming standards — finding names that describe a specific problem without exaggerating it.

The bottom line: "We rarely find Heartbleed vulnerabilities in systems anymore. The same goes for most of the other 'branded' vulnerabilities. And yet we do still find boring old MS08-067 and MS17-010 all the time," said Thomas.

Go deeper ... Study: Software security vulnerabilities persist for months

Go deeper

8 hours ago - World

China-Iran deal envisions massive investments from Beijing

Illustration: Aïda Amer/Axios

China and Iran have negotiated a deal that would see massive investments flow into Iran, oil flow out, and collaboration increase on defense and intelligence.

Why it matters: If the proposals become reality, Chinese cash, telecom infrastructure, railways and ports could offer new life to Iran’s sanctions-choked economy — or, critics fear, leave it inescapably beholden to Beijing.

Updated 9 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 13,048,249 — Total deaths: 571,685 — Total recoveries — 7,215,865Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 3,353,348— Total deaths: 135,524 — Total recoveries: 1,031,856 — Total tested: 40,282,176Map.
  3. World: WHO head: There will be no return to the "old normal" for foreseeable future — Hong Kong Disneyland closing due to surge.
  4. States: Houston mayor calls for two-week shutdownCalifornia orders sweeping rollback of open businesses — Cuomo says New York will use formula to determine if reopening schools is safe.
  5. Education: Los Angeles schools' move to online learning could be a nationwide tipping point.

House Judiciary Committee releases transcript of Geoffrey Berman testimony

Geoffrey Berman. Photo: Alex Wong/Getty Images

The House Judiciary Committee on Monday released the transcript of its closed-door interview with Geoffrey Berman, the former top federal prosecutor in Manhattan who was forced out by Attorney General Bill Barr last month.

Why it matters: House Democrats have seized on Berman's testimony, in which he claimed the attorney general sought to "entice" him into resigning so that he could be replaced by SEC chairman Jay Clayton, to bolster allegations that the Justice Department has been politicized under Barr.