Providing well-formatted and easily accessible security advisories makes a significant difference in the customer experience and helps to quickly remediate vulnerabilities.
FREMONT, CA: Over the years, the world has seen every variation of security advisory imaginable. Regardless of the format they are providing, and security advisories are vital for offering customers and infosec vendors and practitioners the needed knowledge to ensure vulnerabilities are identified, reviewed, and solved as quickly as possible. Here is what comprises a good security advisory.
Each vulnerability should be associated with a unique identifier. A vendor should offer an internally unique identifier that makes it possible for many parties to communicate about the vulnerability without wondering if everyone is talking about the same issue. For each vulnerability disclosure, the security advisory should have a detailed description of the issue and the CVSSv3 metrics. This ensures that customers and security vendors can clearly understand the effect of the vulnerability and communicate that with others utilizing the industry standard.
Identifying Affected Versions
Besides benchmarking technical severity, customers want to know which versions of a product are affected by a particular vulnerability to know whether they need to take action. A vulnerability may only exist in a newer version of an affected product that the customer is not presently running. It is also vital to communicate any conditions that must be met for the software to be impacted and how customers can decide if that special condition is met. This is specifically true with hardware vulnerabilities.
Explaining the Remediation
Unless no remedy is available, each affected version should have a clear connection to the minimum needed version to which a customer wants to upgrade to remediate the vulnerability. If a specific branch does not have a fix, it is important to communicate that no remedy is available and that customers must upgrade to a more recent release.
Improving Accessibility with Dataset
Another feature in which there is varying levels of maturity is how and where security advisories are hosted. Common channels comprise mailing lists, forum posts, blog posts, indexed HTML pages, and APIs. In all of these cases, it is vital to have an easy-to-find location that centralizes access for security advisories. Without a centralized index, it can be a complex search for customers, which boosts the amount of effort needed to review and remediate newly published vulnerabilities.