Brocards for vulnerability triage
Summary
The article introduces 'brocards' for vulnerability triage—brief heuristics to quickly assess the legitimacy and impact of vulnerability reports. It outlines five guiding principles (threat modeling, not exploiting from heaven, usage-based vulnerability, standard-based issues, and 'don’t cure worse than the disease') and discusses how CVE reporting and downstream impact affect triage.