by Laura Yecies
More and more, security companies are irresponsibly creating unnecessary publicity around new attacks, misguidedly seeking credibility for their products by trying to show off their security expertise by establishing a “cutting edge” reputation. Honeypots are dispatched, threat reports sternly issued, and zero-day vulnerabilities frantically announced. The world is ending, or so some would have you believe.
Much of the noise it just that, noise. In a bid to outdo one another, companies often rush to publish a new “discovery” before it’s been properly vetted or disclosed (ie. the recent Adobe Flash non-vulnerability). Old threats are re-dressed in a new package (ie. LinkedIn instead of MySpace as the ‘new’ social networking threat), or simply pulled out of the closet and dusted off.
Part of this new publicity battle stems from the general lack of interest from the major media. Gone are the days of new virus attacks headlining CNN, the cover of Time or the front page of the Wall Street Journal. Hackers went underground, retooling their attacks to *avoid* massive new coverage. So the dangers still lurk, but it’s now up to us as an industry to use creativity to alert the public and offer advice on how to stay protected.
Most critically, we, as an industry, must maintain the code of advanced, responsible disclosure. If your researcher discovers a new vulnerability, you must notify the affected company(ies) and give them time to patch it before releasing the details to the public.
If researchers skip this step, they must be held accountable. Because a cottage industry has sprung up whereby people do nothing but search for vulnerabilities and use them to generate publicity for a product or brand. Some self-styled security experts appear to do little besides check their spam folder and write press releases. A few “independent” firms even sell the “research” with the threat of media exposure if the affected company doesn’t purchase it (not referring to legit bounty programs). All of these behaviors are undermining the legitimacy of the industry as a whole, leaving reporters and consumers/businesses unsure of who to believe, and ultimately creating more insecurity.
Yes, there is PR value in establishing security expertise, but the trend of competitive threat reporting is out of control. More restraint is needed. Security PR should revolve around educating the public about threats and offering protection tips, highlighting product differentiators (for example, if a new exploit is discovered, tell your customers if/why they are protected) and new product releases. It should not revolve around creating hysteria, tapping into “hot” Internet news trends, or exploiting another company’s misfortune.
Maintaining the proper disclosure protocol is a responsibility that all security companies must take seriously. While we are all businesses and have a bottom line to consider, we aren’t selling ringtones. The public is counting on us to keep them informed, educated, and protected, without faking it.