A few days ago, I discovered a security flaw at the company that hosts my website. I reported this to the company, NameCheap, and to a security researcher I know, Graham Cluley. Graham, in turn, shared this information on twitter, and on his podcast Smashing Security.
One thing that irked Graham – and me – was the way that NameCheap’s representative on Twitter used the term “teeny tiny” on Twitter to describe the extent of this vulnerability’s exploitation. And they also suggested, on Twitter, that it shouldn’t be discussed publicly:
This is despite the fact that the information I published did not in any way explain how this vulnerability could be exploited, but merely described its result. (NameCheap later provided a detailed explanation.)
There’s been a bit of back and forth between Graham Cluley and NameCheap CEO Richard Kirkendall (see this Twitter thread), much of it about the terminology that was used. “Teeny tiny” is not a technical word, and, to my ears, sounds dismissive.
This is problematic. Twitter is used as the voice of companies. A tweet can be as important as a press release; heck, even the US president announces policy in 280 characters. Companies that don’t realize this run the risk of being misunderstood, especially when something as sensitive as a security breach occurs.
In my article about this issue, I congratulated NameCheap on their rapid resolution of the problem. But I have communicated to Mr Kirkendall about the fact that I have not received any formal notification from the company regarding this breach, even though NameCheap said that all those affected – apparently just 12 domains – would be contacted. He has apologized on Twitter. He also said a full audit of the incident would be made, which is, of course, normal when there is this type of security breach.
The fact remains that Twitter leads people to speak quickly and sometimes rashly. I have worked as a journalist for long enough to know how important a choice of words is. I’ve worked hours on press releases with clients to get just the right words. And a tweet, especially when it is seen as an official statement from a company, is not very different from a press release. The wrong words have consequences.