Get the latest market trends in your inbox

Stay on top of the latest market trends and economic insights with the Axios Markets newsletter. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Minneapolis-St. Paul

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa-St. Petersburg news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa-St. Petersburg

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Sarah Grillo/Axios

Heartbleed, a dangerous security hole in widely used web-security software, made its public debut five years ago this week. It proved a landmark moment for cybersecurity and, perhaps even more so, for the marketing of cybersecurity firms.

Why it matters: Heartbleed was both a security nightmare and a professionally branded marketing event, and that pairing set a new default for how security research makes its way into the world.

Background: When the security firm Codenomicon announced Heartbleed to the public, it came with a professionally designed logo and a standalone website.

  • I can't stress this enough: If there were ever a vulnerability that warranted a marketing campaign, it was Heartbleed, a flaw in OpenSSL encryption software used by millions of websites (including, at the time, Google and Facebook) that could cough up critical security or personal data.
  • Vulnerability research — the discovery of new security weaknesses in computer systems and software — sits at the nexus of cybersecurity, the practice, and cybersecurity, the business. So once vulnerability branding got started, it began to snowball.
  • Later in 2014, when a major vulnerability in the Unix Bash Shell was discovered, researcher Davi Ottenheimer joked on Twitter that the discovery was "nice. but it's not big until there's a logo." Andreas Lindh responded with a logo and a name for the bug that stuck: ShellShock.
  • Soon there was Ghost and Stagefright. Recently there has been Meltdown and Spectre. To draw attention to a bug and the researchers who discovered it, logos, websites and PR agents became de rigueur.

The catch: Branding can often overinflate less severe bugs. That might be smart marketing, but it's a problem for people trying to fix what's important.

  • "People do prioritize [fixing] branded vulns when they don’t have a mature prioritization process," said Chris Wysopal, co-founder and CTO of Veracode. "They do this because if they get asked a question about it from customers or partners, they want to be seen as on top of the issue.”

The ethics can get hazy. There have been instances of overhyped branded vulnerabilities apparently being marketed to manipulate stock prices, or vastly overstated vulnerabilities shifting the security conversation.

  • "I think many people wish that 'vuln branding' had never become a thing," said Cris Thomas, global strategy lead for IBM's security audit team X-Force Red. "It reeks of marketing, salesmanship and pop culture, and all those things you don't want serious critical things to become."

The big picture: The obvious alternative to using clever names would be to use the ID numbers registered in vulnerability databases.

  • Microsoft lists vulnerabilities it is aware of with the letters MS followed by a numeric code. The National Vulnerability Database does the same with the letters CVE.
  • In all fairness, it's much easier to discuss a bug named "I am root" than to worry you've mistaken CVE-2019-0123 for CVE-2019-0132.
  • Neat idea that'll never happen: In 2015, a blogger for Fortinet suggested adopting World Health Organization naming standards — finding names that describe a specific problem without exaggerating it.

The bottom line: "We rarely find Heartbleed vulnerabilities in systems anymore. The same goes for most of the other 'branded' vulnerabilities. And yet we do still find boring old MS08-067 and MS17-010 all the time," said Thomas.

Go deeper ... Study: Software security vulnerabilities persist for months

Go deeper

Trump set to appear at Pennsylvania GOP hearing on voter fraud claims

President Trumpat the White House on Tuesday. Photo: Chip Somodevilla/Getty Images

President Trump is due to join his personal lawyer Rudy Giuliani in Gettysburg, Pennsylvania, Wednesday at a Republican-led state Senate Majority Policy Committee hearing to discuss alleged election irregularities.

Why it matters: This would be his first trip outside of the DMV since Election Day and comes shortly after GSA ascertained the results, formally signing off on a transition to President-elect Biden.

Scoop: Trump tells confidants he plans to pardon Michael Flynn

Photo: Alex Wroblewski/Getty Images

President Trump has told confidants he plans to pardon his former national security adviser Michael Flynn, who pleaded guilty in December 2017 to lying to the FBI about his Russian contacts, two sources with direct knowledge of the discussions tell Axios.

Behind the scenes: Sources with direct knowledge of the discussions said Flynn will be part of a series of pardons that Trump issues between now and when he leaves office.

Erica Pandey, author of @Work
10 hours ago - World

Remote work shakes up geopolitics

Illustration: Eniola Odetunde/Axios

The global adoption of remote work may leave the rising powers in the East behind.

The big picture: Despite India's and China's economic might, these countries have far fewer remote jobs than the U.S. or Europe. That's affecting the emerging economies' resilience amid the pandemic.