Page History
...
Attempts to squash true information once it's been revealed tends not only to spread the information more widely, but also to backfire on whoever is trying to conceal it. The name comes from a case involving the removal of online photos of a famous celebrity's house [6]. The attempt to suppress the photos only drew attention to them resulting in many more people seeing them than would have otherwise.
This scenario comes up from time to time in CVD cases. Often it takes the form of a vendor trying to suppress the publication of a report about a vulnerability in its product, with some threat of legal action if the information is released. As we've discussed previously, the knowledge that a vulnerability exists in some feature of a product can be sufficient for a knowledgeable individual to rediscover the vulnerability. The legal threats usually serve to amplify the discussion of the case within the security community, which draws more attention to the vendor and its products at the same time it demotivates reporters' willingness to participate in the CVD process. Even more problematic is that when such attention comes to focus on the vendors' products, it is very likely that additional vulnerabilities will be found—while simultaneously less likely that anyone will bother to report them to the vendor before disclosing them publicly. Vendors should not underestimate spite as a motivation for vulnerability discovery.
Panel | ||
---|---|---|
| ||
< 6.7 Relationships that Go Sideways | 6.9 What to Do When Things Go Wrong > |
...