Illustration: Sarah Grillo/Axios

Heartbleed, a dangerous security hole in widely used web-security software, made its public debut five years ago this week. It proved a landmark moment for cybersecurity and, perhaps even more so, for the marketing of cybersecurity firms.

Why it matters: Heartbleed was both a security nightmare and a professionally branded marketing event, and that pairing set a new default for how security research makes its way into the world.

Background: When the security firm Codenomicon announced Heartbleed to the public, it came with a professionally designed logo and a standalone website.

  • I can't stress this enough: If there were ever a vulnerability that warranted a marketing campaign, it was Heartbleed, a flaw in OpenSSL encryption software used by millions of websites (including, at the time, Google and Facebook) that could cough up critical security or personal data.
  • Vulnerability research — the discovery of new security weaknesses in computer systems and software — sits at the nexus of cybersecurity, the practice, and cybersecurity, the business. So once vulnerability branding got started, it began to snowball.
  • Later in 2014, when a major vulnerability in the Unix Bash Shell was discovered, researcher Davi Ottenheimer joked on Twitter that the discovery was "nice. but it's not big until there's a logo." Andreas Lindh responded with a logo and a name for the bug that stuck: ShellShock.
  • Soon there was Ghost and Stagefright. Recently there has been Meltdown and Spectre. To draw attention to a bug and the researchers who discovered it, logos, websites and PR agents became de rigueur.

The catch: Branding can often overinflate less severe bugs. That might be smart marketing, but it's a problem for people trying to fix what's important.

  • "People do prioritize [fixing] branded vulns when they don’t have a mature prioritization process," said Chris Wysopal, co-founder and CTO of Veracode. "They do this because if they get asked a question about it from customers or partners, they want to be seen as on top of the issue.”

The ethics can get hazy. There have been instances of overhyped branded vulnerabilities apparently being marketed to manipulate stock prices, or vastly overstated vulnerabilities shifting the security conversation.

  • "I think many people wish that 'vuln branding' had never become a thing," said Cris Thomas, global strategy lead for IBM's security audit team X-Force Red. "It reeks of marketing, salesmanship and pop culture, and all those things you don't want serious critical things to become."

The big picture: The obvious alternative to using clever names would be to use the ID numbers registered in vulnerability databases.

  • Microsoft lists vulnerabilities it is aware of with the letters MS followed by a numeric code. The National Vulnerability Database does the same with the letters CVE.
  • In all fairness, it's much easier to discuss a bug named "I am root" than to worry you've mistaken CVE-2019-0123 for CVE-2019-0132.
  • Neat idea that'll never happen: In 2015, a blogger for Fortinet suggested adopting World Health Organization naming standards — finding names that describe a specific problem without exaggerating it.

The bottom line: "We rarely find Heartbleed vulnerabilities in systems anymore. The same goes for most of the other 'branded' vulnerabilities. And yet we do still find boring old MS08-067 and MS17-010 all the time," said Thomas.

Go deeper ... Study: Software security vulnerabilities persist for months

Go deeper

Exclusive: Conservative group launches $2M Supreme Court ad

Screengrab of ad, courtesy of Judicial Crisis Network.

The Judicial Crisis Network is launching a $2.2 million ad campaign to put pressure on vulnerable Senate Republicans in battleground states to support a quick confirmation when President Trump announces his Supreme Court nominee.

The big picture: "Follow Precedent," previewed by Axios, is one of the first national and cable television ads to run following Justice Ruth Bader Ginsberg's death Friday.

Updated 11 mins ago - Politics & Policy

CDC says it mistakenly published guidance about COVID-19 spreading through air

CDC Director Robert Redfield. Photo: Anna Moneymaker/Pool/Getty Images

The CDC has removed new guidance that acknowledged airborne transmission of the coronavirus, posting in a note on its website that the guidance was only a draft and had been published in error.

Why it matters: The initial update — which was little noticed until a CNN story was published Sunday — had come months after scientists pushed for the agency to acknowledge the disease was transmissible through the air. The CDC previously said that close person-to-person contact was the bigger concern, and the language has been changed back to erase the warning about airborne transmission.

Ruth Bader Ginsburg will lie in state in Capitol's National Statuary Hall

Photo: Getty Images

House Speaker Nancy Pelosi announced Monday that the late Supreme Court Justice Ruth Bader Ginsburg will lie in state in the Capitol's National Statuary Hall on Friday.

The state of play: The Supreme Court also announced Monday that Ginsburg will lie in repose on the front steps of the building on Wednesday and Thursday, allowing the public to pay respects to the late justice outside.