“Major security flaw in virtual reality porn app SinVR exposes the perverted secrets of 20,000 users.”
This was the headline which ran in The Daily Mail after Digital Interruption discovered a security vulnerability in a virtual reality porn application in January 2018. But the headline didn’t tell the true story.
The media attention, although brief, got more ridiculous by the day. It quickly became clear that sex, not security, was why the press was interested in this story.
When it comes to vulnerability disclosure, with no mandatory process researchers often get stuck. If they can’t engage with the vendor directly, they are forced to either sit on the vuln, fully disclose (typically via 280 characters), or turn to the media for help.
In a media climate that changes narratives and sensationalises stories for clicks and follows how does this translate for security. How do we instil trust in our industry when stories are twisted and there is little recourse for the researcher, especially when they know the law does not protect them?
This talk will discuss how the media use narratives to twist stories and the impact this has on security. We will discuss real cases with real outcomes and look at how communication and trust between InfoSec and the press might be improved.