Learn to write clear security advisories: CVE IDs, affected versions, severity, mitigation language, and standard disclosure phrases.
0 / 5 completed
1 / 5
What is a CVE ID, and what does it look like in a security advisory?
CVE (Common Vulnerabilities and Exposures) IDs are assigned by CVE Numbering Authorities (CNAs) — large vendors like Microsoft, Google, and Red Hat are CNAs and can assign their own CVE IDs. The format is CVE-[year]-[sequential number]. CVE IDs are referenced in NVD (National Vulnerability Database), security scanners (Trivy, Snyk), and patch management tools, making them the universal language for vulnerability communication.
2 / 5
What should the 'affected versions' section of a security advisory specify?
Precise version ranges are essential for actionability: 'versions >= 1.0.0 and < 2.4.4 are affected.' Operators and automated scanners (Dependabot, Renovate, Snyk) parse this to determine if a dependency in use is vulnerable. Vague language ('older versions may be affected') is inadequate — users cannot determine exposure and may not upgrade unnecessarily or fail to upgrade when needed.
3 / 5
What does 'no known exploits in the wild' mean in a security advisory?
'No known exploits in the wild' (sometimes 'no evidence of exploitation in the wild') is a standard advisory phrase indicating exploitation status at publication time. It is a snapshot, not a permanent status — a vulnerability can go from unexploited to actively exploited within days of advisory publication when exploit code is developed. It provides context for prioritisation: patches for unexploited vulnerabilities may have a longer remediation window than actively exploited ones.
4 / 5
What is the correct phrasing for recommending a patch in a security advisory?
'Update to version X or later to fix this issue' is the canonical mitigation recommendation. It specifies the action (update), the target (version X or later), and the outcome (fixes this issue). If a patch is not yet available, include a workaround: 'Until the patch is available, disable feature Y or restrict access to endpoint Z.' Vague language like 'consider upgrading' reduces urgency and compliance.
5 / 5
What is the 'mitigation' section of a security advisory?
The mitigation section answers: 'What should I do right now?' It should include: (1) definitive fix — 'upgrade to version X'; (2) workarounds if no patch is available — 'disable the affected endpoint', 'set configuration option Y to Z'; (3) compensating controls — 'ensure this service is not exposed to the internet'. Multiple mitigations should be ordered from most to least effective. Good advisories include both immediate and long-term mitigations.