Lessons in software bug marketing: Heartbleed’s evocative branding, dedicated web presence clearly communicate need for action (Patrick…

• Tech News
• 2 years ago

If you’re a technologist and you’re not living under a rock, you’ve heard about Heartbleed , which is a Severity: Apocalyptic bug in the extraordinarily widely deployed OpenSSL software.  Heartbleed lets anyone capable of finding a command line read encryption keys, passwords, and other private data out of affected systems.  If you don’t remember addressing this in the last 48 hours close this window immediately and get to work . Now that we’re past the immediate panic phase, though, I want to share some lessons learned.  Security experts can tell you more than I can about what it means for good C coding practices in high-criticality security libraries.  I want to take a moment to point at the marketing aspects of it: how the knowledge about Heartbleed managed to spread within a day and move, literally, hundreds of thousands of people to remediate the problem. Heartbleed is much better marketed than typical for the OSS community, principally because it has a name, a logo, and a dedicated web presence. What’s In A Name Remember CVE-2013-0156?  Man, those were dark days, right? Of course you don’t remember CVE-2013-0156. The security community refers to vulnerabilities by numbers, not names.  This does have some advantages, like precision and the ability to Google them and get meaningful results all of the time, but it makes it very difficult for actual humans to communicate about the issues. CVE-2013-0156 was the Rails YAML deserialization vulnerability

Originally posted here:
Lessons in software bug marketing: Heartbleed's evocative branding, dedicated web presence clearly communicate need for action (Patrick...