Brocards for vulnerability triage

April 11, 2026
aisecuritybusinesslaw
A framed certificate with Lady Justice statue on a wooden desk.
Photo by Pavel Danilyuk on Pexels

A short, sharp toolkit for noisy triage

It has been reported that a longtime hobbyist triaging open‑source vulnerabilities published a short manifesto of "brocards" — pithy aphorisms borrowed from the legal world — to help sift signal from noise. The point is simple: when maintainers are buried under poorly framed reports, a handful of clear heuristics can let you dismiss the nonsense fast and focus on what truly matters. Frustration, meet pragmatism.

Examples that cut through the chatter

The blog allegedly draws on prior work by security practitioners such as Alex Gaynor and historical notes from Raymond Chen. It lists familiar triage touchstones: dismiss reports with no coherent threat model (a classic “motion to dismiss” move); ignore reports that describe surprising exceptions or local developer hangs that cannot realistically be abused; and reject so‑called exploits that require the attacker to already have equal or greater capability than the vulnerability would grant. Other entries call out active MiTM claims (if an attacker can inject arbitrary content, there's nothing meaningful to patch), code‑execution reports that rely on the attacker already running arbitrary code (ctypes fiddling in CPython, for example), and reports that describe behavior only possible when caller invariants are violated.

Practical nuance, not hand‑waving

The post stresses nuance: not every dismissed report is irrelevant forever. A private API that’s provably unreachable in a downstream product isn’t a vulnerability for that downstream, but the same bug might be real in another context. Likewise, an invariant violation isn’t necessarily “not a bug”—it may be a programmer error in the caller rather than a flaw in the callee. These are judgement calls, but brocards aim to make those calls fast and consistent.

Why this matters

Why care? Because maintainers are people, too. The angry inbox of duplicate, under‑specified, or context‑free reports burns time and goodwill. A compact set of triage brocards gives teams a shared language and a shortcut to triage sanity. Practical, human, and a little bit legalistic — sometimes you need an aphorism to tell you when to move on.

Sources: blog.yossarian.net, Lobsters