The Heartbleed.com information website on April 17, 2014.
In the world of marketing, Heartbleed was a bloody masterpiece.
While it's standard practice for cyber-security companies to assign newly discovered Internet attacks with cloak-and-dagger-sounding names like Night Dragon and Operation Clandestine Fox, that's typically not the case for programming errors, which inherently aren't as sexy and are often quickly fixed after they're announced.
But this bug was different. Cyber-security firm Codenomicon spotted the hole on April 3 as part of ongoing work looking for gaps in OpenSSL, software that encrypts the communications between people's browsers and websites they visit, co-founder Mikko Varpiola said in an interview. The Finnish company has discovered other bugs in the software, but this one was exceptionally serious because it could allow hackers to silently steal data from target servers.
When Codenomicon CEO David Chartier was first alerted to what his researchers found, it was immediately clear this was a big deal, he said in an interview. The company notified the appropriate authorities and quickly got to work on a marketing plan.
It was the researchers' idea to name the bug and create a website dedicated to explaining it, Chartier said, "to make it very easy to understand."
Software bugs are often announced to the world with the low-key posture of something that doesn't want to be found. They're assigned eye-glazing, industry standard codes such as CVE-2012-2333 and CVE-2008-0891, which mean something to technology managers but are gibberish to everyone else.
That wouldn't do on this occasion. So an engineer came up with "Heartbleed," which plays off the "heartbeat" function in OpenSSL that can be manipulated to leak, or bleed, data. (The bug's official name is CVE-2014-0160.) Then a graphic designer came up with the logo.
When the OpenSSL Project announced the bug and the availability of a fix for it April 7, news outlets around the world picked up the story, thanks in part to its emotionally charged name and that evocative bleeding-heart logo. That set off a race among Internet companies to apply a fix and led to revelations that the National Security Agency has exploited it for years for surveillance purposes.
Never mind that a Google engineer actually found the bug first. The online search giant had taken the opposite approach: It did zero publicity around the find.
Also worth noting is that Codenomicon made a flawed assessment about the size of the problem. The company initially said that as many as two-thirds of all websites - hundreds of millions of them - were potentially vulnerable to Heartbleed, based on the market share of open-source software that uses OpenSSL.
But Netcraft, the U.K. company whose data the estimate was based on, said the actual figure was closer to 500,000. The difference is that not all sites that could have used OpenSSL actually did use the software, according to Netcraft. It's only used for secure communications, and not all sites need that.
Chartier said the oversight was unavoidable. The company didn't want to tip off any entities outside official channels about what it had found, so it based its estimates only off publicly available information.
Still, how Heartbleed was transformed from a security hole in an obscure part of open-source encryption software into a brand recognized around the world is a "fascinating case study in the success of viral marketing," said Andrea Matwyshyn, assistant professor at the Wharton School of the University of Pennsylvania. It's a rare instance of a deeply technical cyber-security issue being presented in a polished way for consumers and the media, said Matwyshyn, who is also a senior policy adviser to the Federal Trade Commission on privacy and security.
And the outcome was a win-win. Most websites fixed their systems quickly, and there's been a spike in interest for Codenomicon's products, Chartier said.
"It's always good to get your name associated with something like this," he said. "We have lots of inquiries."