Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Stay on top of the latest market trends

Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sports news worthy of your time

Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tech news worthy of your time

Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Get the inside stories

Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Denver news?

Get a daily digest of the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Des Moines news?

Get a daily digest of the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Twin Cities news?

Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Tampa Bay news?

Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Charlotte news?

Get a daily digest of the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Sarah Grillo/Axios

Heartbleed, a dangerous security hole in widely used web-security software, made its public debut five years ago this week. It proved a landmark moment for cybersecurity and, perhaps even more so, for the marketing of cybersecurity firms.

Why it matters: Heartbleed was both a security nightmare and a professionally branded marketing event, and that pairing set a new default for how security research makes its way into the world.

Background: When the security firm Codenomicon announced Heartbleed to the public, it came with a professionally designed logo and a standalone website.

  • I can't stress this enough: If there were ever a vulnerability that warranted a marketing campaign, it was Heartbleed, a flaw in OpenSSL encryption software used by millions of websites (including, at the time, Google and Facebook) that could cough up critical security or personal data.
  • Vulnerability research — the discovery of new security weaknesses in computer systems and software — sits at the nexus of cybersecurity, the practice, and cybersecurity, the business. So once vulnerability branding got started, it began to snowball.
  • Later in 2014, when a major vulnerability in the Unix Bash Shell was discovered, researcher Davi Ottenheimer joked on Twitter that the discovery was "nice. but it's not big until there's a logo." Andreas Lindh responded with a logo and a name for the bug that stuck: ShellShock.
  • Soon there was Ghost and Stagefright. Recently there has been Meltdown and Spectre. To draw attention to a bug and the researchers who discovered it, logos, websites and PR agents became de rigueur.

The catch: Branding can often overinflate less severe bugs. That might be smart marketing, but it's a problem for people trying to fix what's important.

  • "People do prioritize [fixing] branded vulns when they don’t have a mature prioritization process," said Chris Wysopal, co-founder and CTO of Veracode. "They do this because if they get asked a question about it from customers or partners, they want to be seen as on top of the issue.”

The ethics can get hazy. There have been instances of overhyped branded vulnerabilities apparently being marketed to manipulate stock prices, or vastly overstated vulnerabilities shifting the security conversation.

  • "I think many people wish that 'vuln branding' had never become a thing," said Cris Thomas, global strategy lead for IBM's security audit team X-Force Red. "It reeks of marketing, salesmanship and pop culture, and all those things you don't want serious critical things to become."

The big picture: The obvious alternative to using clever names would be to use the ID numbers registered in vulnerability databases.

  • Microsoft lists vulnerabilities it is aware of with the letters MS followed by a numeric code. The National Vulnerability Database does the same with the letters CVE.
  • In all fairness, it's much easier to discuss a bug named "I am root" than to worry you've mistaken CVE-2019-0123 for CVE-2019-0132.
  • Neat idea that'll never happen: In 2015, a blogger for Fortinet suggested adopting World Health Organization naming standards — finding names that describe a specific problem without exaggerating it.

The bottom line: "We rarely find Heartbleed vulnerabilities in systems anymore. The same goes for most of the other 'branded' vulnerabilities. And yet we do still find boring old MS08-067 and MS17-010 all the time," said Thomas.

Go deeper ... Study: Software security vulnerabilities persist for months

Go deeper

Capitol review panel recommends more police, mobile fencing

Photo: Olivier Douliery/AFP via Getty Images

A panel appointed by Congress to review security measures at the Capitol is recommending several changes, including mobile fencing and a bigger Capitol police force, to safeguard the area after a riotous mob breached the building on Jan 6.

Why it matters: Law enforcement officials have warned there could be new plots to attack the area and target lawmakers, including during a speech President Biden is expected to give to a joint session of Congress.

Financial fallout from the Texas deep freeze

Illustration: Annelise Capossela/Axios

Texas has thawed out after an Arctic freeze last month threw the state into a power crisis. But the financial turmoil from power grid shock is just starting to take shape.

Why it matters: In total, electricity companies are billions of dollars short on the post-storm payments they now owe to the state's grid operator. There's no clear path for how they will pay — something being watched closely across the country as extreme weather events become more common.

U.S. Chamber decides against political ban for Capitol insurrection

A pedestrian passes the U.S. Chamber of Commerce headquarters as it undergoes renovation. Photo: Andrew Harrer/Bloomberg via Getty Images

The U.S. Chamber of Commerce revealed Friday it won't withhold political donations from lawmakers who simply voted against certifying the presidential election results and instead decide on a case-by-case basis.

Why it matters: The Chamber is the marquee entity representing businesses and their interests in Washington. Its memo, obtained exclusively by Axios, could set the tone for businesses debating how to handle their candidate and PAC spending following the Jan. 6 Capitol attack.