There is a particular flavour of June morning where you open your feeds and a vulnerability has a name, a logo, a colour scheme and, if it has really arrived, a single-page website with a FAQ. This month it was the round of speculative-execution follow-ups doing the rounds again, the sort of thing that gets a snappy name and a CPU vendor advisory, and the whole industry collectively groans and reaches for the same mug.
I am not against branding a bug. Heartbleed earned its name. It was genuinely catastrophic, genuinely widespread, and the logo helped non-technical managers understand that yes, this one is real, please approve the maintenance window. The branding did a job that a bare CVE number cannot: it crossed the gap between engineering and everyone who signs the cheques.
The problem is that the technique worked, so now everything gets the treatment. A local-only privilege escalation that needs an authenticated user and a following wind arrives with the same fanfare as a remote unauthenticated worm. The logo flattens severity. It tells you something is scary without telling you whether it is scary to you.
So my actual triage hasn't changed in years, and the branding doesn't touch it. The first question is reachability: can the thing that is vulnerable be reached by the thing I am worried about? A glamorous remote code execution in a library I compile out, or sat behind three layers of network that the attacker would need to already own, is a Tuesday-afternoon patch, not a 3am page. The second question is exploit maturity. Proof of concept on a researcher's blog is a different animal to a Metasploit module and traffic already hitting honeypots. The third is blast radius if I'm wrong.
None of those questions are answered by a logo. They are answered by the boring fields in the advisory: the CVSS vector, yes, but really the attack vector, the privileges required, whether user interaction is needed, and whether anyone has actually seen it used. The colourful website tends to bury those under a paragraph of prose designed to be quotable.
What I have started doing, and I recommend it, is treating the name purely as a search key and otherwise ignoring it. The name is useful for one thing: finding the vendor advisories, the distribution security trackers and the mailing-list threads where the people who actually understand the internals are arguing about whether it matters. That argument is where the real severity lives. By the time something has a tidy FAQ, the FAQ is marketing. The thread on oss-security is the engineering.
The cynical reading is that a branded vulnerability is a recruiting tool for a security firm, and sometimes it plainly is. But I have made my peace with that, because the alternative, a world where serious bugs ship with no fanfare and quietly rot in unpatched fleets, is worse. Heartbleed got patched fast partly because it was impossible to ignore. I just wish the same machinery weren't now applied to every info-leak that needs ring 0 and a fortnight of uptime.
So when the next one lands, and it will land before July, I'll do the same thing. I'll note the name, ignore the logo, read the vector, and decide whether it's a window or a page. Mostly it's a window. Occasionally it's Heartbleed again, and then I'm grateful someone made it impossible to look away.