Google Search Site search Web search  
Jobs in PR
Career Guides
Toolkit: How to PR
Desk References
Media Relations
Crisis Management
Basics of PR
International PR
Professional Orgs
Wired PR
Steven R. Van Hook
All Subjects

The Balancing Act of Announcing Bugs
How to publicize software security vulnerabilities.
 Related Resources
 Basics of PR
 Media Relations
 Jobs in PR
 PR Toolkit
 Lots More PR Articles

 by Shany Seawright
Strategic Communications Group

Shany SeawrightAs hacking has morphed from a pastime of small time thieves and teenage geeks into a serious financial and national security threat, the issue of when and how to publicize network security vulnerabilities has become an acute concern.

It can be a challenge finding a balance between disclosing the required information at the appropriate time and allowing software vendors time to correct the situation before the knowledge falls into the wrong hands.

The practice of spreading FUD (fear, uncertainty and doubt) can be tempting. Researchers and security experts alike gain publicity for finding a vulnerability and notifying the community. But there is a clear danger to this practice. One can be viewed as over-hyping a threat or needlessly scaring the public. Indeed, with so many vulnerability announcements in the last few years, there is a real risk of becoming "the boy who cried wolf" as the public disregards the myriad warnings.

The most effective approach from both a public safety and public relations perspective involves close collaboration between stakeholder organizations, software vendors, and the government.

Once a software security vulnerability is identified, the starting point is to discreetly notify the software vendor. The two sides should work together on a patch and coordinate the release of the information when the remedy is available. According to CERT Coordination Center (CERT/CC), vulnerabilities need to be disclosed within 45 days, giving vendors ample time to create a solution to the problem.

Organizations, such as CERT/CC, should also be notified in the process of responsibly disclosing a vulnerability. The organization can help analyze the vulnerability and coordinate communications among the proper experts and the government. Lastly, the editorial board of Common Vulnerabilities and Exposures (CVE), the standard listing for information security vulnerability names, must be contacted and made aware of the vulnerability so that it can be universally named and tracked through an official addition to the CVE list. 

At the end of the day, researchers and security experts must recognize their true motive for disclosing a network vulnerability. If the community is put in greater jeopardy or risk by publicizing the threat, than the disclosure is irresponsible. But by ensuring that vendors, experts and government are all stakeholders in the communications process, the greater community good is served. 

Shany Seawright is a Director at 
Strategic Communications Group
, an award-winning public relations 
and business development firm based in Silver Spring, MD. 
She can be reached at

More Articles  |  Submit Your Article  |  PR Subjects

About Public Relations Homepage

Contact Us