A practical guide to vulnerability triage brocards — concise aphorisms for quickly evaluating whether a security report describes a real vulnerability. Covers common dismissal criteria: missing or incoherent threat models, attacker capability assumptions that exceed the vulnerability itself, behaviors that don't occur in actual usage, violations of programmer-maintained invariants, re-reports of upstream issues that aren't reachable downstream, behaviors that correctly implement a standard, and reports whose remediation costs exceed the vulnerability's impact. Also critiques the CVE ecosystem for enabling spam reports that burden maintainers without meaningful security benefit.
Sort: