Why I Love Marketing Vulnerabilities

But don’t you speak CVE?

  1. Every year, thousands of new unique identifiers (CVEs) are created to encompass vulnerabilities that have been disclosed. When a severe bug is identified, it gets the same treatment as any other in terms of publishing, thus, sometimes being lost in the noise.
  2. Absent a “friendly” name, I am left to use the assigned unique identifier or attempt to describe (ex. “the new RDP bug”) the vulnerability when engaging with my peers or management.
  3. The source of truth for a CVE depends a bit on the CVE Numbering Authority and what they choose to include along with how they format their publishing. Not all the information I may want will be at the source and I may need to seek information elsewhere.

ZombieLoad (CVE-2018–12130)

Screenshot of the https://zombieloadattack.com website outlining the vulnerability

Benefits Within the Marketing

  • A catchy or formal name is easier for communication. The use of ZombieLoad in this example has a number of surface benefits. It’s a name that is unexpected and likely to draw attention, it’s far easier to recall than using CVE-2018–12130, and it cleverly describes the vulnerability that can be exploited.
  • A dedicated website serves as a single source-of-truth. The first search result for “ZombieLoad” is a dedicated website for the vulnerability. Users can download the research paper, test the attack (linked directly to code in Github) or begin answering questions they may have.
  • Messaging is impact driven, less technical driven. The ZombieLoad website is well-formed and describes the vulnerability in a straight-forward way. Instead of focusing on the technical nuances of the vulnerability, its authors summarize their findings and put the common questions most people may have upfront.
  • Credits and acknowledgments are clear. Finding vulnerabilities can be a laborious process that doesn’t always result in success. Those who find a bug should get proper credit for doing so along with anyone else who aided their research or helped fix the bug.

So…Market All the Vulnerabilities?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Dixon

Brandon Dixon


Founder of @BlockadeIO, PDF X-RAY, and @PassiveTotal. Partner and developer for @TheNinjaJobs. VP of Strategy for @RiskIQ. Roaster at @SplitKeyCoffee.