When should you name a bug?
There has been a lot of talk about naming bugs, Heartbleed is the bug that started this trend, badlock seems to be the one that made people start to talk about how stupid bug naming is.
My first question is why do people feel the need to name a bug?
Possible answers:
- It’s cool and everyone else is doing it.
- It makes the marketing easier.
- They think it is easier then remembering CVE numbers.
- They need some words to go with the cool logo.
Does a name add value? Does a name make life easier for people who need to talk about the bug?
For example:
As a red team is it normal to talk about owning a system using MS08-067 or CVE-2008-1447?
As a blue team do you talking about patching CVE-2014-6271 or is it more normal to talk about patching “Logjam” in OpenSSL?
Some bugs are born with a name, some achieve a name, and some have a name thrust upon them.
At the end of the day, some bugs are more worthy of a name than others.
- MS08-067 - I think this should have a name, it has given many years of happiness to red teams.
- CVE-2008-1447 - Maybe this should have a name.
- CVE-2016-2118 - This only has a name for marketing.
- CVE-2016-3714 - This bug should never have been given a name or a logo.
What about having logo’s and websites? This is called marketing and I am tempted to say that you should never do a logo or a website for your bug, but that would be suppressing your artistic talent. Feel free to make a logo and a website, but be aware that many people will point and laugh.
I think that names do add value, how many readers Googled any of the CVE’s listed in the article so far? For example how many readers assume that CVE-2014-6271 is “Logjam” in openssl ?
This is all about how we convey information clearly and with as little hype as possible, if you are using a name to make discussion easer then that is fine with me, but if you are using a name and logo just to up the hype then maybe you need to go and write for CNN.