How we publish
Operator-first triage, primary-source citations, four named desks.
This is the editorial process behind every digest and post: the sources we read, the rule every recommended action ties back to, the four desks that own bylines, the things we will not publish, and what happens on a quiet day.
Sources we pull from
We work from six source layers. The first five are external; the sixth is the one that holds the others accountable.
-
NVD
Use: Authoritative CVE record, CVSS metrics, and CPE applicability. The starting point for affected-version checks.
Don’t trust for: Scoring alone, when CISA KEV or vendor advisories disagree with NVD on real-world impact.
-
CISA KEV
Use: Confirmation that a CVE is being exploited in the wild and a federal patch deadline. Promoted to the top of the digest.
Don’t trust for: As a comprehensive exploitation feed. KEV trails public exploitation by days or weeks for non-federal targets.
-
MSRC
Use: Microsoft’s primary advisory channel for Windows, Office, Edge, and Azure. Source of record for Patch Tuesday.
Don’t trust for: Severity reassessments after publication, unless MSRC links the change to a CVE update.
-
GHSA
Use: Open-source advisories with ecosystem and version range data. Source of record for package-manager CVEs.
Don’t trust for: Triage on bugs that have no operator-facing exposure (test-only paths, dev-time dependencies).
-
Vendor advisories
Use: The first canonical statement on affected versions, available patches, and workarounds. Linked from every operator action.
Don’t trust for: Marketing language about “customer protection,” “no action required,” or impact ratings that don’t match the underlying CVSS.
-
Human review
Use: A working sysadmin reads every item before it ships, checks the primary source links, and writes the operator action in plain English.
Don’t trust for: (This one doesn’t get skipped. It’s the layer that catches the others when they’re wrong.)
The primary-source rule
Every recommended action in the digest ties back to a primary source link: the vendor advisory, the KEV entry, the MSRC bulletin, the GHSA record. If we can’t find a primary source for a remediation, we skip the item rather than invent one.
That rule is the reason a CVE sometimes appears in the digest with a short note and a single sentence instead of a complete operator checklist. The note is the honest version; a longer writeup with fabricated config flags would not be.
The editorial desks
Four desks own the byline. Each desk has a defined beat and a defined voice; the rules above apply to all of them equally.
-
Commentary
The Commentary Desk
The Commentary Desk says what everyone on the team is thinking but nobody put in the ticket. Covers bad tools, vendor nonsense, and the gap between what a product page promises and what the rollout actually looks like. Dry, direct, and not interested in being diplomatic about it.
Recent
-
Patch Tuesday
The Patch Tuesday Desk
The Patch Tuesday Desk reads every monthly Microsoft release the morning it ships and writes the version a sysadmin actually needs: what's exploited, what's worth a maintenance window, and what can wait. Cinematic-universe lore for the people who have to deploy it.
Recent
-
Compliance Watch
The Compliance Watch Desk
The Compliance Watch Desk translates CVE advisories into tenant action under GDPR, HIPAA, and SOC 2. Reads the vendor's 'no customer action required' line through an auditor's eye and decides whether that's actually true for your environment.
-
Field Notes
The Field Notes Desk
The Field Notes Desk writes from the operator's chair: per-CVE walkthroughs, vendor postmortems, exploitation timelines, and the occasional war story from a Monday morning that did not go to plan. If it doesn't have a clear next step, it isn't done.
Recent
What we will not publish
A short list. These are the lines that separate operator-useful coverage from the kind of CVE aggregator that wastes its reader’s morning.
- Auto-generated remediation. Every operator action gets a human read and a primary-source link before it ships. If we can’t source it, we don’t ship it.
- Fabricated config flags or commands. If the vendor advisory doesn’t name the flag, we don’t. Plausible-sounding mitigation is worse than no mitigation, because someone will paste it into prod.
- Generic SIEM queries. Detection content needs a specific environment to be useful. We link to canonical detection rules where they exist; we don’t make up Sigma stubs.
- Scoring inflation. Severity reads from the source. We don’t talk a 6.8 into a 9.1 to make a post hit harder, and we don’t talk a 9.8 down because the patch is awkward.
Quiet-day discipline
On a slow news day, when fewer than three CVEs survive triage, we publish nothing. No filler items, no rehashes of items already covered, no extending coverage to vulnerabilities that don’t clear the bar to pad an edition.
A skipped day is a signal. It means today wasn’t the day to be in your inbox. Treating that as the default instead of the exception is how the digest stays worth reading on the days it does ship.
Tools
One editorial-shaped tool sits alongside the desks. The compliance impact lookup takes a CVE ID and returns what GDPR, HIPAA, SOC 2, PCI DSS, FedRAMP, SOX, or NIS 2 actually asks of a tenant, drawn from the per-CVE editorial dossiers. It only answers for CVEs we have analyzed. Where we have nothing, it says so and links to NVD. There is no fallback prose, no generative guess, and no "based on similar CVEs" output. The tool grows with the editorial archive: every new entry under /cve/ extends the index at build time.
Contact and corrections
The fastest way to reach the editor or any desk is [email protected]. We publish a running corrections log for material changes to vulnerability details or recommendations; when something moves, the post gets an updated note explaining what changed and why.
For deeper reads: who writes this, the selection and urgency model in detail, and how teams use the digest day to day.