Another week, another large breach in the headlines, this time Facebook disclosing that an access-token flaw exposed something on the order of fifty million accounts. It's serious and it deserves the coverage. But it set me grumbling about a habit the industry's picked up since Heartbleed: the better a vulnerability's branding, the harder it is to tell how much you should actually care.
We've had a run of them. Spectre and Meltdown earlier in the year arrived with logos, websites and FAQ pages, and this summer's Foreshadow turned up dressed the same way. Some of that polish is genuinely useful. A memorable name does cut through, and a good explainer page helps a sysadmin work out whether they're exposed before the patch ships. I'm not against clear communication about security. I'm against confusing the marketing with the severity.
The trouble is that a logo flattens everything to the same apparent altitude. A remote unauthenticated root and a local-only info leak that needs an attacker already on the box can both get a slick site and a clever name, and to a manager skimming the news they read identically. I've spent more than one morning talking someone down from a branded-vuln panic over something that needed physical access and a following wind, whilst a quietly numbered CVE in our actual stack sat unpatched because it didn't have a website.
So my rule hasn't changed. Read the CVSS vector, not the homepage. Ask the only two questions that matter for your estate: am I exposed, and what does an attacker need to pull it off. The logo tells you how good the discoverer's designer is. It tells you nothing about whether to lose sleep.