Brocards for vulnerability triage

50 points by yossarian

aleyan

The list looks good. There is a high chance this blogpost will become a canonical reference for these sec brocards. That chance will be higher if individual brocards were anchor linkable.

yossarian

Thanks for the feedback, I've made them linkable. Should be live shortly!

icefox

Fortunately, not actually about the business cards of tech bros.

ocramz

https://en.wikipedia.org/wiki/Brocard_(law)

junon

Thank you thank you thank you for the redos section. I feel seen. I maintain debug and a few other color libraries on npm and the redos vulnerability noise + the CVE's filed without my knowledge have caused chaos in the past, to the point I really don't want to maintain them at all anymore.

I also agree entirely about "undesirable behavior is not intrinsically a vulnerability". I've fought a few GHSAs that document (expected) performance issues incorrectly flagged as high/severe vulnerabilities. Yes, handing a syntax highlighter library 100MB of code will make the browser slow and use a lot of memory to render it. That's not a high severity vulnerability (and was apparently approved by GH's manual review team...).

I will be linking to this in the future when responding to people about this, very good writeup. Thank you for posting it!

captn3m0

Suggestion for another one: "You can't start on the other side of the airtight hatchway", from Raymond Chen's blog post. Vulnerabilities should not require a starting point with additional privileges which would render the vulnerability needless for an attacker.

k749gtnc9l3w

I think https://blog.yossarian.net/2026/04/11/#no-exploit-from-heavens covers it already?
- captn3m0
  
  Yup, even links to Raymond's blog. Somehow missed it.
0x2ba22e11

Thank you for not translating these into Latin.