Every day we are bombarded with information. Something is always happening somewhere to someone and unfortunately it's rarely good. Looking at this through the lens of information security, NOT getting the right details at the appropriate time could be the difference from stopping and blocking an attack, or being the next sad, tragic headline...
Red Hat Product Security oversees the vulnerability remediation for all of Red Hat's products. Our dual mission of governing guidelines and standards for how our products are composed and delivered is balanced with our in-taking, assessing, and responding to information about security vulnerabilities that might impact those products. Once a flaw has been identified, part of our role is to understand its real impact and try to produce a calm, clear direction to get issues that matter remediated. One big challenge is understanding when something is bad and could cause harm compared with something that is completely terrible and WILL cause major havoc out “in the wild." For the layperson, the facts and the hype can be extremely difficult and time-consuming to separate so that they can act appropriately.
Recent trends in the security field haven't been helping. It seems as if every month there is a new bug that has a cute name, a logo, and a webstore selling stickers and stuffed animals. While awareness of a problem is an excellent goal, oftentimes the flashing blinky text and images obscure how bad (or not) an issue is.
Thankfully, for over 15 years Red Hat Product Security has been providing calm, accurate, timely advice around these types of issues. We're able to separate the hope from the hype, so to speak. To that end, with the meteoric rise of “branded” flaws not stopping in the foreseeable future, Red Hat Product Security developed a special process to help inform our valued subscribers and partners when these situations arise. We call it our Customer Security Awareness (CSAw) process:
We've augmented our processes to include enhanced oversight and handling of these very special issues. Some of these issues could be of such grave risk the need for quick actions and good advice merits extra special handling. Other times we might recognize that a security bug has the potential to have it's own PR agent, we take the right steps so that customers proactively get the appropriate level of information, allowing them to decide how quickly they need to react based on their own risk appetites. We ensure we provide special tools and extra alerts so that when these things really DO matter, the decision makers have the right data to move forward.