Juha Saarinen: Learn how to care and share and you will profit

Photo / iStock

The company you and your friends set up has fantastic products and services, and some superbly clever staffers who really know the ins and out of the technology they work with.

Things are going well, but you'd like to raise the company profile in the wider community, for whatever reason. How would you do that? A boring old marketing campaign? Doing something weird and viral?

How about taking a leaf out of local point of sales systems geeks' Vend's book, and do something good for the community instead?

This week, four Vend staffers and a security researcher from United States enterprise Linux distributor Red Hat published a great advisory on a potentially very serious security flaw in web applications.

It's a flaw that's been known for the last fifteen (yes, 15) years and which is patched in some software, but not in others that are commonly used on the Internet. Not the most obvious one to spot either.

The bug is easy to exploit and do bad things with, so if your organisation runs web servers with vulnerable apps, make sure the proposed fixes (also easy) are applied to stop any potential abuse.

Now, the Vend developers who discovered and researched the flaw learnt a thing or two from the Heartbleed security scare two years' ago which saw a really rather obscure security bug hit mainstream media because they had something to hang their stories on, a central theme that crystalised what the problem was.

That means the Vend people thought up a cool name - httpoxy - for the flaw, and a snazzy logo and an advisory website with its own domain (httpoxy.org).

The site contains the research and advice needed to fix your systems, credits to those who worked on it, and no tacky plugs for Vend as a company. It's done totally right in that respect and really, it's public relations gold. Money couldn't buy it.

Keep the easy to remember names for the really serious bugs in other words.

Allowing staff to work on side projects that benefit the larger community is also a great way to bolster morale, and potentially to attract talent to the company, not to mention learning new stuff (building up a security knowledge base is never wrong).

There are some ground rules here though: since Heartbleed, we've had all sorts of hip names for security scares, both serious and insignificant. And that's a shame - having a name instead of for instance a numeric identifier helps everyone keep track of security issues, but there's a limit to how many any sane person can process.

If the NUKEMFROMORBIT flaws is hard to abuse and affects only a tiny amount of systems, it'll just irritate people if you go over the top with it, no matter how cool the logo might be.

Keep the easy to remember names for the really serious bugs in other words.

Working with the distributors and vendors of the affected products is a must too.

Responsible disclosure so that software patches (if needed) can be developed to fix the bugs benefits everyone.

Dropping news of a huge security hole suddenly and without giving people a chance to fix them first might be tempting as an attention seeking device, but it's not cool and will undo all the karma your company might have otherwise earnt from the disclosure.

Looking at the bigger picture, the above would be difficult to achieve without open source software. Proprietary code is not something you can rip into and write about in the public, especially if it contains defects. Big vendors tend to get grumpy if you do and sic the lawyers after you.

If you ever have to write a business case to help decide whether to select an open or proprietary code strategy, not being constrained when it comes to caring, sharing and earning important kudos from the community should go into it.