In the past few years we've witnessed the rise of branded vulnerabilities: Heartbleed [89], Badlock [115], Shell Shock [116], and GHOST [117]. Does having a marketing department behind a vulnerability disclosure make that vulnerability worse than others without the marketing push? Not in any technical sense, no. Instead, what it does is draw additional attention to the vulnerability—so vendors can be forced to adjust the priority of the vulnerability cases they're working on and allocate resources toward addressing whatever vulnerability is getting the hype. Are branded vulnerabilities good or bad for internet security? The only good answer is the lesson of the Taoist parable of the farmer and the horse: "Maybe." [118].

The Streisand Effect

<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="4548eacc-0fb9-4034-9866-579fff9d8037"><ac:parameter ac:name="">The_Streisand_Effect_</ac:parameter></ac:structured-macro>Attempts to squash true information once it's been revealed tends not only to spread the information more widely, but also to backfire on whoever is trying to conceal it. The name comes from a case involving the removal of online photos of a famous celebrity's house [119]. The attempt to suppress the photos only drew attention to them resulting in many more people seeing them than would have otherwise.
This scenario comes up from time to time in CVD cases. Often it takes the form of a vendor trying to suppress the publication of a report about a vulnerability in its product, with some threat of legal action if the information is released. As we've discussed previously, the knowledge that a vulnerability exists in some feature of a product can be sufficient for a knowledgeable individual to rediscover the vulnerability. The legal threats usually serve to amplify the discussion of the case within the security community, which draws more attention to the vendor and its products at the same time it demotivates reporters' willingness to participate in the CVD process. Even more problematic is that when such attention comes to focus on the vendors' products, it is very likely that additional vulnerabilities will be found—while simultaneously less likely that anyone will bother to report them to the vendor before disclosing them publicly. Vendors should not underestimate spite as a motivation for vulnerability discovery.