Brocards for Vulnerability Triage
9 hours ago
- #open-source
- #security-principles
- #vulnerability-triage
- Vulnerability reports lacking a threat model or with an incoherent threat model can be dismissed.
- Reports can be dismissed if the attacker's required capabilities exceed or equal the vulnerability's potential harm.
- A report is dismissible if it describes a behavior that could occur but does not in actual software usage.
- Reports can be dismissed when the behavior stems from correct adherence to a standard or specification, not an implementation flaw.
- Maintainers should reject reports where the remediation effort causes more harm than the vulnerability itself.
- The presence of a vulnerability report or CVE does not guarantee an actual vulnerability exists.
- Nonsense submissions like spam, 'beg bounty' requests, and low-effort LLM-generated reports are common in triage.
- Brocards serve as concise principles to quickly evaluate legitimacy, though they are not universally true laws.