[ozim]

Well I don't see real practical reason for keeping it secret.

If you look at operation model of threat actors, even with current hack, they have their targets and no one is going to say "hey they have solar winds let's hack them". Threat actors have their budget, limited time and goals. They could also find this information by other osint means. Even if they have it on that page, they still need to make their research.

Even if SolarWinds would not have a list on their page they are so big that you can count them as interesting target anyway. It is the same with Google and MSFT you can safely assume if you hack them, some of your targets will use some tools from those companies.

I mean security by obscurity is fine, but I don't see what kind of value it would bring in this scenario.

[jhayward]

> Well I don't see real practical reason for keeping it secret.

Generally, you have to get a company's permission to use it's name or logo as an endorsement. That agreement has stipulations, such as being revoked if the association could bring disrepute or reputational harm to the endorser.

I'm sure none of the companies on that list want their investors calling the IR to ask about whether this event is a material issue for the company.

[ozim]

Well my company never had anything to do with SolarWinds and I expect getting calls from our customers tomorrow anyway.

Had the same with Citrix hack that was going around, we never had any Citrix but at we got at least ten calls.

[therealcamino]

I'm not a security person, but my first thought is that you're not trying to avoid "hey they have solar winds let's hack them," but rather "Hey, I want to attack Large Co., and a quick Google search says they run software from these 14 companies, so compromising any of those might get me in."