How To Write A Vulnerability Disclosure

For anyone that has ever had a job in vulnerability management, sifting through endless amounts of poorly written, ambiguous, misleading vulnerability advisories has never been a fun part of the job. Information is often withheld or left out, their descriptions are hard to understand, and sometimes they are unfortunately just plain wrong. For a long time, vulnerability databases like the NVD have been heralded as a single source of truth when they, like all things, are fallible. My aim is to bring attention to this problem, and to help security researchers (and anyone else involved in the vulnerability disclosure process) write advisories that significantly help other security practitioners, making their jobs and lives much easier. In the talk, I will start by giving a brief introduction to the current public vulnerability ecosystem, and once that’s established, explain why anyone listening should even care to hear this talk. After that I’ll go over the key factors that go into creating a useful and actionable vulnerability description and disclosure. For each factor, I will give at least one good and one bad example, and give tips on what to do and what not to do. I will finish the talk with a brief walkthrough of the vulnerability disclosure process, a summary, and a call (plead) to action (for better advisories).