Heartbleed: When Is It Good to Name a Vulnerability?

Back in April 2014, researchers uncovered a serious vulnerability in OpenSSL. There were many serious vulnerabilities, but that one was particularly bad, with security expert Bruce Schneier calling it "catastrophic."

"On the scale of 1 to 10, this is an 11," he wrote on his blog.

The Tor Project issued a similarly stark warning: "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." 

The official name of the vulnerability was CVE-2014-0160, but most people know it by the name Heartbleed.

Finnish company Codenomicon, which discovered the vulnerability alongside Google security researcher Neel Mehta, anticipated the magnitude of the issue and decided to give the flaw a name to call attention to it. (Herralan Ossi, one of the company's security specialists, actually came up with the Heartbleed moniker.) Codenomicon designed a logo and launched a website with resources to help people address the issue quickly.

"It was a pretty serious vulnerability, and that's why we thought it would be a good idea to have a campaign around it with information," says David Chartier, who was Codenomicon's CEO at that time. (Codenomicon was later acquired by Synopsys.) "We thought it would make everybody's life easier if we put a name on it."

The name Heartbleed is an allusion to heartbeat, an element of the TLS/SSL protocol. The heartbeat allows two computers to confirm they are connected to each other, even if there's no data being transferred between them. The first computer sends a heartbeat message, or an encrypted data packet, to the other computer at regular intervals, and the second computer returns an identical packet to confirm the connection. The Heartbleed flaw, however, allows attackers to read server memory and send additional information, or "bleeding out data," as Chartier puts it. This way, attackers can extract sensitive information, such as passwords and private keys.

The impact was widespread, as many companies — a list that included Amazon Web Services, Dropbox, GitHub, Google, Instagram, LastPass, Minecraft, OKCupid, Netflix, Pinterest, Reddit, SoundCloud, Tumblr, Wikipedia, Yahoo, and YouTube, to name just a few — announced that their servers were vulnerable and recommended users to update their passwords.

"This huge vulnerability needed a striking mark," the logo's designer, Leena Snidate, told Fast Company at the time. "The colour choice was immediate for me — deep blood red."

The Branded Vulnerabilities Trend

In the case of Heartbleed, branding the flaw with a name and logo helped get media attention and was successful in raising awareness around the issue. A Pew Research Center survey from April 2014 (within weeks of the vulnerability being disclosed) showed that 64% of Internet users were aware of the bug, 39% of users took actions to secure their online accounts, such as changing passwords, and 29% felt their personal information was put at risk because of the bug.

Some organizations quickly patched their systems, while others took longer to respond. Ten years later, around 60,000 servers are still running Heartbleed OpenSSL around the world, according to Chartier. He recommends companies understand their attack surface better and thoroughly test the open source tools they use.

Heartbleed was among the first vulnerabilities to be branded with a name and logo, a practice later embraced by other researchers for other vulnerabilities. While some followed Codenomicon's strategy to highlight serious threats, others applied catchy names to less critical, mundane bugs. Some names were downright silly, such as POODLE, FREAK, Badlock, Thrangrycat (which was also named using three angry cat emojis), and Pork Explosion.

The branded-vulnerabilities trend prompted many in the information security community to raise their eyebrows. In an April Fool's Day blog post in 2015, Brian Gorenc, Trend Micro's vice president of threat research, offered "two hours of graphic design work to create a logo specific to your bug," as part of what has been dubbed the "No More Ugly Bugs" movement.

Sometimes, the name of the bug was blown out of proportion.

"[N]ot every named vulnerability is a severe vulnerability despite what some researchers want you to think," wrote Leigh Metcalf, a senior network researcher, for Carnegie Mellon's Software Engineering Institute blog. "Sensational names are often the tool of the discoverers to create more visibility for their work."

This trend of choosing dramatic names for vulnerabilities has sparked discussions about the balance between necessary caution and excessive hype.

"You can go overboard with branding," says Mikko Hyppönen, chief research officer at WithSecure. "Every mundane vulnerability doesn't need a website and a logo — even though marketing departments would like that."

Balance Between Marketing and Security

Deciding whether to name a vulnerability is a tricky call to make.

"For every Heartbleed, there are just a bunch of bugs that are not as serious as people think they are," says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI). "We need to be careful with what we name and with how we promote it. It's very easy to go from doing well for the community to overpromoting something for personal gain."

Vulnerabilities with widespread exploitation or those impacting multiple products deserve names, he argues. However, he also believes that bugs affecting specific systems should simply be referred to by their CVEs.

"I don't think one bug affecting Windows should be named. I don't think one bug affecting Mac OS should be named," Childs says.

ZDI does not name its bugs because that's not a line the organization wants to cross, "even though it is clear sometimes that line needs to be crossed," Childs says, though he agrees that in the case of serious vulnerabilities like Heartbleed or Log4j, using a name instead of a CVE makes a difference.

"CVEs are very useful from a documentation perspective," he says. "But when you're talking to your C-suite, to folks who are making decisions but aren't necessarily technical, it's easier to have a name to call something. It makes the conversation simpler."

Naming vulnerabilities also creates problems, especially when the name makes the bug seem either too benign or too scary.

"No sysadmin likes to patch unnecessarily or before understanding the scope of a vulnerability and the options for mitigating exploits," says Sean O'Brien, lecturer in cybersecurity at Yale Law School and founder of Yale Privacy Lab.

It is why sysadmins and security experts responsible for patching vulnerabilities need to consider their priorities carefully and avoid the pitfall of rushing to patch a bug solely because it has a sinister name and is in the news.

When choosing a name for a vulnerability, organizations should be careful with humor, which could downplay the seriousness of a threat or even make people angry, O'Brien adds.

"That's especially true when bias about the origin of a threat creeps into the name," he says. "I don't think most American security professionals would warm up to a name like 'Crappy Eagle' about a vulnerability that likely emerged from an NSA arsenal."

In recent years, various organizations have started to think that the name should reflect the seriousness of the threat, as well as how the bug can be exploited. One initiative that aimed to settle the issue was Vulnonym, which attempted to give researchers guidance in naming CVEs. The initiative, however, had limited success. 

"I don't think we need a central org that names vulnerabilities," says security researcher Martijn Grooten, former editor of the Virus Bulletin. "For most practical purposes, CVEs work just fine."

Ten years after Heartbleed, the security community continues to grapple with naming vulnerabilities.

"It's always going to be tough to strike that balance as security and marketing often have different interests," Grooten adds. "The important thing for me will be to always make claims that are accurate."