[artisanspam]

The marketing culture for announcing hardware exploits is so strange to me. The norm seems to be getting a custom domain, logos, demos, an FAQ... why do all this instead of just reporting the exploit and releasing a paper?

[9283409232]

Only academics read exploit papers. I don't see anything wrong with releasing the information is a more digestible way if it is something that affects the general populace. I only knew about heartbleed because of the website. https://heartbleed.com/

[woodruffw]

Heartbleed et al. demonstrated conclusively that recognition matters; I don't begrudge researchers any technique that increases the relative visibility of their work.

[porcoda]

It’s happening in other parts of the research world too: a couple colleagues of mine were talking recently about a paper we found at a conference last year that had a web page to go along with it with a domain and fancy graphics and such. For a boring programming languages paper. We concluded this is the modern way to try to jack your citations by getting noticed for everything but the technical content of the work, which is a bit off putting.

[hajile]

Getting funding and good job offers is mostly about marketing. Even worse, lots of people controlling the purse strings aren't domain experts. In a way, it's no different from getting published in specific high-profile publications or attending specific universities.

[IshKebab]

It's a recent trend basically since Heartbleed had a cool name and lots of press. Why would you not want your exploit to be well known and to get lots of credit for it? If anything it's surprising it didn't happen earlier.

[ipdashc]

The custom domains can be a little silly, but for all the rest, why not? Logos (and the associated fancy name) are a lot more memorable than CVE-2025-XXXX. Demos are and were always appreciated. FAQs are a lot more digestible for the average reader than a paper.

I know it's kind of goofy, but I don't really see the downside to it.

[caust1c]

Blame society. Businesses won't value security unless the fear of getting attacked is sufficiently strong and the losses significant. Otherwise why invest in it at all?

Definitely not just hardware exploits though. Look at heartbleed for example. It's been going on a long time. Hardware exploits are just so much more widely applicable hence the interest to researchers.

[nicce]

It also feels like that people who are highly determined to build high quality, secure software are not valued that much.

It is difficult to prove their effort. One security-related bug removes everything, even if it happened only once in 10 years in 1 million line code base.

[nicce]

In this case it is very generic domain name. Maybe more specific one would be okay, but this is not anymore.