Security Advisory Writing
Advisory structure, CVSS scores, vulnerability descriptions, mitigation, and responsible disclosure
Security advisory essentials
- Advisory structure: vulnerability type + CVE ID + CVSS score + affected component + impact + mitigation
- CVSS: 0–10 severity (9–10 = Critical) based on exploitability + CIA impact + attack complexity
- Description: attack vector + exploitation requirements + full impact scope
- Mitigation: fixed version + upgrade command + interim workaround + config changes
- Responsible disclosure: private notification → 90-day fix window → public disclosure after patch
Question 0 of 5
What is the primary purpose of a security advisory document?
Structured vulnerability disclosure: what + who affected + severity + mitigation. Security advisory audiences:
- External advisory (CVE): for library maintainers disclosing vulnerabilities to their users — published after a fix is available
- Internal advisory: for security teams informing engineering of a vulnerability found in internal systems
- Customer advisory: for products informing customers of a breach or security issue affecting their data
What does CVSS score measure in a security advisory?
Severity 0–10: exploitability + impact (CIA) + attack complexity. CVSS score ranges:
- 0.0: None
- 0.1–3.9: Low
- 4.0–6.9: Medium
- 7.0–8.9: High
- 9.0–10.0: Critical
- Attack Vector: Network (remote) vs. Local (physical access needed)
- Attack Complexity: Low (reproducible) vs. High (requires specific conditions)
- Privileges Required: None vs. Low vs. High
- Impact on CIA: Confidentiality, Integrity, Availability — None/Low/High for each
Which security advisory description is written most effectively?
Vulnerability type + CVE ID + CVSS + affected component + attack vector + exploitation requirements + impact. Security advisory description components:
- Vulnerability type: "SQL injection" — industry-standard term (OWASP)
- CVE ID: "CVE-2026-1234" — searchable, trackable
- CVSS: "9.8 Critical" — immediate prioritisation signal
- Affected component: "user search endpoint" — engineers know exactly where to look
- Attack vector: "unauthenticated attacker" + "malicious search query" — tells security teams how to test
- Exploitation requirements: "No authentication or special privileges required" — the most dangerous configuration
- Impact: "read, modify, or delete all database records" — full scope
What should a "mitigation" section in a security advisory contain?
Fixed version + upgrade steps + interim workaround + config changes. Mitigation section template:
- Fixed in: v3.4.2 and v2.8.1 (patch backport)
- Upgrade:
npm install mylib@3.4.2(orpip install mylib==3.4.2) - Interim workaround (if fix not yet available): "Disable the /search endpoint via the feature flag SEARCH_ENABLED=false until the patch is applied"
- Configuration: "If running behind a WAF, add rule to block requests matching
'--+in query parameters"
What is "responsible disclosure" in the context of security vulnerabilities?
Private notification + 90-day fix window + public disclosure after patch. Responsible disclosure timeline:
- Day 0: Researcher discovers vulnerability, notifies vendor via security@vendor.com (or HackerOne/Bug Bounty)
- Day 0–90: Vendor investigates, develops, and releases a fix
- Day 90: If no fix released, researcher may publish — this creates pressure without leaving users indefinitely vulnerable
- Post-fix: Vendor publishes CVE and advisory; researcher may publish their analysis