There has been another round of branded CPU side-channel disclosures doing the rounds this month, complete with the now-mandatory short name and a tidy little site explaining why your processor has been quietly leaking data across boundaries it promised to keep. I am not going to pretend the underlying research is anything other than excellent, because it is. The speculative-execution family of bugs has been some of the most genuinely clever security work of the last couple of years. My complaint is not with the researchers. It is with what happens after they publish.
Somewhere around Heartbleed in 2014 we collectively decided that vulnerabilities needed marketing. A name, a logo, often a domain bought specifically for the occasion. The reasoning was sound at the time: a memorable name gets the bug onto the desk of people who do not read the oss-security mailing list, and that gets things patched faster. I believed that argument then and I half believe it now.
The trouble is that the branding has decoupled from the severity. A logo no longer tells you whether to drop everything or to schedule the patch for the next maintenance window. Some of the scariest-looking websites front bugs that need local code execution and a following wind to exploit, and some genuinely urgent remote holes go out as a plain CVE number that nobody outside the security world ever hears about. The marketing budget and the actual risk have stopped correlating, and that is a worse position to be in than the alphabet soup of CVE identifiers we were trying to escape.
What I actually want, as the person who has to decide whether to reboot a fleet on a Friday afternoon, is boring. I want the affected versions, the preconditions for exploitation, whether there is a working proof of concept in the wild, and the patch. The logo tells me none of that. Worse, the logo creates a sort of alert fatigue all of its own, where the third branded CPU bug of the year gets a weary shrug from people who really should be reading the mitigation notes.
So this is the routine now, branding stripped out. Read the actual advisory, not the press release. Check whether the preconditions apply to anything I run, because half the time they do not. Look at the performance cost of the mitigation, since with this class of bug it is rarely zero and sometimes eye-watering. Then decide, on the evidence, whether this is a tonight problem or a next-Tuesday problem. The name and the logo get no vote.
I do not expect the trend to reverse. A named bug is a CV line and a conference talk, and I cannot blame anyone for wanting those. I just wish we could keep the cleverness and lose the implication that the size of the launch tells you anything about the size of the risk. Patch on the facts. The website is just a website.