Not to mention the other countless flash exploits that come out each year allowing drive-bys to happen.
This seems to be a communication problem, for example most platforms don't have systems to automatically notify us based on which software we use. Relying on marketing/branding for bugs to reach us seem highly inefficient, considering we're in the business of software.
What makes the firefox sandbox escape "critical"? It requires at least one other, unknown bug to exploit. Seems like a pretty run of the mill issue that will get fixed in the next Firefox update. The fact that most Firefox users won't ever know about it doesn't matter.
I mostly agree with you here, most browsers would take multiple exploits combined together to be effective. And the update process is fairly rapid with Firefox these days - especially compared to glibc and (often) Linux kernel rollouts. So this would exclude the script-kiddies unlike Heartbleed which was quite accessible to newbs who could use a single PoC.
Browser sandbox escapes are less common than higher level bugs so they have some FUD-appeal. But my point isn't to say that these are worse than any other bugs, or more exploitable for that matter. Merely that they are similarly bad but not as well covered. Both are definitely in the same class as Shellshock or Ghost.
I'm not saying particularly bad ones aren't in need of special attention, merely that playing the branding game as a security strategy is mostly non-productive when countless relatively unknown me-too's exist at all times.
There is no inherent correlation between the severity of the find and the PR budget available to the discoverer.
On top of this, some types of security claims attract considerably greater attention than others for reasons unrelated to their actual impact or merit. If you mention privacy, Internet of Things, malware, and rooting in a single sentence, you will get headlines out of it, no matter how bogus the underlying claims may be.
You need a reliable way of finding about the vulnerabilities that affect you even if they are discovered by a teenager in Romania and a PR agency is not involved.
Breathlessly panicking about vulnerabilities is worse than no PR at all. There are well-established avenues for keeping up with vulnerabilities, and anyone operating an Internet-addressable computer who is not familiar with any of them is incompetent.
Speaking of incompetence, it was Qualsys' desire for fame which caused them to retain a PR firm, which is why this vulnerability was announced as such before major vendors had patches available. If Qualsys had stuck to the normal avenues, there would not have been any need for the ridiculous panic felt by half-informed administrators.
The vast majority of people who read about security vulnerabilities primarily via press releases are almost certainly not in a position to fix them. What, then, is the motivation for presenting them with a goddamned logo?
"anyone operating an Internet-addressable computer who is not familiar with any of them is incompetent"
Sorry but I just can't take such a statement seriously. There are millions of people who are in this situation. Calling them incompetent is just ridiculous. Perhaps you were around for the big worms but vulnerable internet facing systems are purely reality. Making people more aware is not some kind of problem.
Yes, and the vast majority of those millions of people have an arrangement with their OS vendor to receive updates, including security-related updates.
The ones who don't rely on Windows Update, Red Hat alerts, or similar services from various vendors are the ones who have presumably chosen an operating system deliberately outside of those with curated update procedures -- and please note that even relatively small projects tend to have security notification lists.
That leaves a vastly outnumbered, tiny minority of people who are either willfully ignoring crucial information or are constitutionally unable to consume it, and neither group is doing humanity any great service in the process.
In short, retaining a PR firm does nothing to enhance the overall internet's security posture, and just leads to a lot of half-informed worry on the part of people who can't take any action anyway.
PR, as it's being used here, doesn't increase awareness of security in general, it only increases awareness of a single, specific issue. There are many more major security issues that don't get branded and hyped up, they just get solved.
Would you have all major vulns receive the same level of PR? If so, there would be a C-SPAN style, 24 hour channel constantly discussing the latest issues. This channel would not be commercially viable as the majority of people would ignore it. No amount of PR for individual issues will increase the public's awareness of the real problems. The media coverage of Heartbleed was particularly useless, as it didn't tell anyone what they should, or could do. The sysadmins updated their systems, the developers patched their libraries, the general populace just worried non-specifically about something they couldn't do much about.
I would also like to point out that the human race survived without PR for thousands of years. It's not "absolutely essential" for anything.
