Thou Bleeding Heart – Brand Response to the OpenSSL Security Bug

April 12, 2014
Posted by: Matthew Hammer, VP- Marketing

heartbleed logoWith the widespread media coverage of the Internet security bug known as the Heartbleed bug, people are understandably anxious to know how exposed they are and what they can do to protect themselves.
Brands are also understandably nervous to talk about security vulnerabilities in social channels for fear of stoking more anxiety among customers — particularly sites that rely heavily on e‑commerce.
At LiveWorld, we’ve always believed that being forthright and transparent is the best policy, and that proactive communication builds trust between people. So even if your customers aren’t talking about the Heartbleed in droves on your social channels, we suggest initiating the conversation because it’s a topic at the top of everyone’s minds — or should be.
Consider it a public service to your customers.
How To Talk About Heartbleed in Social
Facebook and Twitter are both excellent channels for sharing news-breaking information, but the nature of each channel limits how much you can say. On Facebook, you get a little more leeway for going into more detail, whereas on Twitter you really have space only to give one fact with a link that leads to a page with more information you want to share.
In either channel, we suggest making a post this weekend because weekends are typically high engagement days in social channels, and you’ll share the info with the widest possible audience.
So…what should a brand DO about Heartbleed in social channels?

  1. Acknowledge the existence of the bug and explicitly state the potential exposure on your own websites (i.e., affected, not affected, partially affected).
  2. Give info on whether brand sites have installed the security patch or do not need to do so.
  3. Inform customers that you will require them to change passwords if the site was vulnerable to the bug on next login.
  4. Set up a FAQ page on your website giving more info for Heartbleed and Internet security best practices.
  5. Provide URLs for customers to check vulnerability on other sites. Here are a few:

Setting up a Heartbleed/Internet Security FAQ page on your website might seem like a lot of work, but it can also include more evergreen content about personal best practices for internet privacy and security — and be a year-round resource. This is a really useful service you can provide for your customers; and creating this page now, if you don’t already have it, will serve you well the next time an internet security/privacy issue comes along (and it will).
Heartbleed Background Info for Your FAQ
Lots of articles already give great detail on the Heartbleed vulnerability, but here’s how we describe it in plain English for non-tech folks.
The Heartbleed bug is a security vulnerability in recent versions of a component of technology called OpenSSL, which is short for the Open Secure Socket Layer. This is the technology that is often used by a substantial number of websites when someone goes to a secure web page using HTTPS.  
Around the same time the flaw was made public, a tool was written to exploit this vulnerability to reveal the most recent check of data processed by the affected servers. This check of data might include usernames and passwords.
For this reason, LiveWorld believes it is a good idea for Internet users to change their passwords at sites they have visited after the bug became public on Monday, April 7.  
It is critical that users check to make sure that the vulnerability has been fixed before changing their passwords. You can also check here whether a site is still vulnerable.
While there have been no indications of large-scale breaches, many websites may begin requiring their users to change passwords, and that’s a good thing to require if your site needed a security patch.
Given the large scale awareness of this vulnerability it’s also likely that scammers will try to take advantage of this situation to trick potential victims into revealing their passwords with phony phishing emails.
Providing basic info on how to detect a phishing scam is good information for your FAQ.
Building Trust 
While no one really wants to talk about Internet security and privacy, it’s important to lead the conversation when something negative happens in order to build trust with your customers. If your customers have heard about Heartbleed, they’re worried about their vulnerability on all the websites that they visit, and you can calm them by proactively telling them that yours wasn’t affected.
If your site WAS vulnerable to the OpenSSL bug, then it’s better to let customers know that before they ask; it shows that you’re on top of things and always looking after their best interests. It’s better to bring them a problem solved, than to wait for them to ask what they should do.
If customers have to ask if they’ve been exposed on your site, a seed of mistrust has already been planted. It’s harder to regain trust than it is to keep it, so get out in front of delicate issues like these and be the one to bring it to their attention first.
Issues like Heartbleed give you an opportunity to build and gain trust by informing customers with critical news when they need it most.
Have you posted anything about the Heartbleed bug in your social channels yet?