Vulnerability Notifications Overview

• Vulnerability notifications are targeted communications informing stakeholders of known, publicly documented vulnerabilities, distinguishing them from coordinated vulnerability disclosure.
• They employ a structured, multi-step process—from pre-assessment and stakeholder mapping to automated follow-ups—to maximize remediation in diverse operational environments.
• Empirical findings highlight varied response and remediation metrics, emphasizing the need for credible, evidence-backed messaging and stakeholder-specific strategies.

Vulnerability notifications (VNs) are targeted communications, typically initiated by third parties such as researchers, CERTs, or advocacy organizations, to alert operational or end-user stakeholders of the presence of known, exploitable security vulnerabilities in their infrastructure or products. In contrast to coordinated vulnerability disclosure (CVD), which focuses on the initial sharing of undisclosed flaws with vendors, VNs are primarily concerned with post-publication outreach at scale, aiming to prompt remediation among the residual population of unpatched, at-risk systems. The context, processes, stakeholder dynamics, and metrics associated with VNs have evolved with both the increasing complexity of Internet infrastructure and the diversification of notification targets, including hosting providers, network operators, device owners, and multi-stakeholder environments such as the ad-tech supply chain (Chen et al., 17 Jun 2025, Vekaria et al., 11 Jun 2024, Stivala et al., 1 Dec 2025, Hove et al., 2023).

1. Definitions and Scope of Vulnerability Notifications

A vulnerability notification is the act of informing operational stakeholders (e.g., hosting providers, website operators, ISPs, domain owners, incident response teams) that systems under their control remain exposed to a known and publicly documented vulnerability (Chen et al., 17 Jun 2025). According to ISO/IEC 29147:2018, a VN provides information about a functional behavior that violates a security policy to a party not previously aware (Hove et al., 2023). This distinguishes VNs from CVD, which addresses newly discovered, unpublished vulnerabilities and communicates primarily with vendors.

Key contrasts between VNs and CVD include:

• Stakeholder differences: VN targets operators, infrastructure owners, domain owners; CVD targets vendors and developers.
• Vulnerability status: VNs concern already-public vulnerabilities; CVD is pre-publication.
• Risk profile: VNs may inadvertently inform attackers, but CVD prioritizes secrecy until a fix is available.
• Scale: VNs often involve tens of thousands to millions of notifications per campaign (Chen et al., 17 Jun 2025).

VNs are further categorized by their operational focus, including notifications to shared hosting providers (Stivala et al., 1 Dec 2025), multi-stakeholder ecosystems (e.g., ad-tech supply chain, IoT) (Vekaria et al., 11 Jun 2024, Jüttner et al., 24 Oct 2025), and public sector domains (Hove et al., 2023).

2. Stakeholder Ecosystem and Notification Process

VN campaigns target a spectrum of infrastructure actors, dependent on the vulnerability and affected assets:

• Domain registrants and DNS hosting providers (via WHOIS/RDAP)
• Website operators and SaaS customers
• ISPs and network operators
• Cloud and hosting providers (including shared, VPS, managed environments)
• Abuse desks (registrars, ISPs, email hosts)
• Incident response teams (internal or CSIRT)
• IoT device owners, smart-home users
• Specialized supply-chain actors (e.g., publishers, ad-networks, advertisers in ad-tech) (Vekaria et al., 11 Jun 2024, Chen et al., 17 Jun 2025)

The prototypical VN process, as synthesized across large-scale studies, follows these ten steps (Chen et al., 17 Jun 2025):

1. Pre-assessment (scoping, identifying CVEs, estimating affected hosts)
2. Stakeholder identification (ownership mapping via WHOIS/RDAP, passive DNS, TLS metadata)
3. Contact verification and prioritization (filtering stale addresses, stratifying by impact)
4. Notification channel selection (e-mail with proper SPF/DKIM/DMARC, CSIRT platforms, phone/post where warranted)
5. Message drafting (issue summary, observed asset, CVE/severity, mitigation steps, contact information, opt-out)
6. Pilot send and quality control (test subset, bounce and spam tracking)
7. Full-scale notification (rate limiting, delivery monitoring)
8. Automated follow-up (reminders at 7/30 days)
9. Remediation monitoring (active re-scans, tracking ticket responses) 10. Post-campaign review and publication (metrics, common pitfalls, community reporting)

The notification workflow in multi-stakeholder contexts (such as ad-tech) involves sequential rounds targeting each interdependent stakeholder—victim publishers, ad-networks, advertisers—with randomized sender branding for rigorous impact evaluation (Vekaria et al., 11 Jun 2024).

3. Organizational and Operational Factors Shaping VN Efficacy

VN processing is shaped by organizational structure, contractual boundaries, operational workloads, and infrastructural reachability:

• Reception and triage: Abuse@ addresses serve as canonical inboxes. Large providers staff abuse departments; smaller entities collapse technical and abuse roles (Stivala et al., 1 Dec 2025).
• Triage and action: Active abuse (phishing/malware) prompts provider-initiated takedown; application-layer issues are usually forwarded to customers or intermediaries. Managed services rarely extend to customer code without explicit support contracts.
• Boundaries and constraints: Providers delineate responsibility—OS and network-level fixes are in scope, but customer application patching is not (Stivala et al., 1 Dec 2025).
• Resource limitations: Low-fee hosting plans, high daily ticket volumes, and cost-benefit calculations drive cursory triage; remediation effort is frequently proportional to ticket cost, report volume, and perceived infrastructure risk.
• Legal and contractual factors: Unmanaged contracts preclude proactive intervention; liability fears further constrain action (Stivala et al., 1 Dec 2025).
• Customer engagement: Technical incapacity and disengagement of customers lead to low remediation rates—only ~10–15% of forwarded VNs prompt support tickets (Stivala et al., 1 Dec 2025).
• Trust in notification senders: Suspicion of phish or scams (especially from non-institutional addresses) diminishes VN credibility absent strong evidentiary attachment or sender authentication (Stivala et al., 1 Dec 2025).

Empirically, policy presence (formal CVD policy, published security.txt) slightly increases resolution rates (difference of ~9 percentage points), but significant proportions of notifications remain unacknowledged or unresolved after 90 days (50% in Dutch municipalities, <3% response in some Belgian cases) (Hove et al., 2023).

4. Metrics, Evaluative Frameworks, and Empirical Outcomes

Canonical VN effectiveness metrics include:

Metric	Formula	Typical Range / Context
Remediation Rate	$R = \frac{M}{N}$ (M: remediated, N: sent)	20–30% in large-scale hosting/ISP
Response Rate (Rr)	$Rr = \frac{\#\text{replies}}{N}$	2% (Belgium prov.), 43% (Dutch)
Resolution Rate (Rl)	$Rl = \frac{\#\text{fixed}}{N}$	0–39% (varies w/ policy/channel)
Reach Rate	$$R_{\text{reach}} = \frac{N_{\text{delivered}}}{N_{\text{sent}}}$$	Campaign-dependent

Study-specific variants include difference-in-differences estimators (for causal effect in multi-stakeholder settings (Vekaria et al., 11 Jun 2024)), detailed pipeline engagement rates (delivery+open at 79.5%), and stratified response by recipient class (publishers, ad-networks, advertisers; ~65–82% open/click rates, 3–4% explicit reply rates) (Vekaria et al., 11 Jun 2024). Time-to-remediation curves, bounce/spam statistics, and ticket tracking are integral to operational assessments (Chen et al., 17 Jun 2025, Hove et al., 2023).

The Human-Centered Security Alert Evaluation Framework (HCSAEF) provides a multi-dimensional, Likert-scale evaluation for LLM-generated notifications, covering consequences, context, countermeasures, correctness, intuitiveness, personalization, and urgency (Jüttner et al., 28 May 2025).

5. Communication Design, Channel Strategies, and Human Factors

Effective VN delivery relies on technical, linguistic, and procedural best practices tailored to both recipient role and technical capability:

• Evidence and credibility: High-evidence, machine-readable attachments (screenshots, log excerpts, POC URLs) and consistent, authenticated sender addresses enhance trust and successful triage (Stivala et al., 1 Dec 2025).
• Templates and language: Subject lines must be explicit (CVE, impacted asset), content concise with concrete mitigation, opt-out/false positives supported (Chen et al., 17 Jun 2025).
• Complexity and length: Controlled studies indicate intermediate-complexity notifications maximize likability, understandability, and motivation to act across technical proficiency strata; experts marginally prefer brevity, while novices benefit from longer (≥4 step) messages (Jüttner et al., 24 Oct 2025).
• Best practices: Structure templates with greeting/context, stepwise instructions (2–4), and clear rationale per action; translate technical (CVSS/CVE) jargon to actionable, device-specific language (Jüttner et al., 28 May 2025, Jüttner et al., 24 Oct 2025).
• Prompt engineering for LLMs: Persona, chain-of-thought, and explicit device context improve correctness, countermeasures, and intuitiveness in automatically generated VNs (Jüttner et al., 28 May 2025).
• Adaptive channel use: While e-mail remains dominant, coordinated platforms (VINCE, Shadowserver), ISP walled-garden injects, and even phone/post are used for specific subgroups. Studies report ISP prompt banners can achieve 75–86% remediation in walled gardens (Chen et al., 17 Jun 2025).

6. Multi-Stakeholder Notification Pipelines and Strategic Findings

In complex supply chains (e.g., ad-tech), phased, automated VN campaigns can produce meaningful risk reduction. Key methodological and empirical highlights (Vekaria et al., 11 Jun 2024):

• Automated pipelines couple static and dynamic artifact collection with web scraping of contact points.
• Sequential notification (publishers → ad-networks → advertisers) enables measurement of independent stakeholder contributions.
• Sender reputation (academic vs. activist) generally does not significantly influence effect sizes except for publishers, where activist-branded notifications yielded a statistically significant 3.3% increase in remediation.
• Remediation rates: ad-networks show 81.6% reduction in self-issued dark pool IDs, publishers achieve 54.0% mean remediation, advertisers 72.6%, as measured via matched difference-in-differences.
• Single, well-timed reminders suffice; post-notification measurement windows of 4–5 weeks effectively capture outcome.

7. Recommendations, Limitations, and Future Directions

The collected literature emphasizes several convergent best practices and open challenges:

• Stakeholder targeting: Identify and route VNs to the most directly responsible party; avoid generic abuse forwarding when application-layer remediation is required (Stivala et al., 1 Dec 2025).
• Pre-consultation and segmentation: Early engagement with CSIRTs or notification intermediaries, cohort-driven prioritization, pilot testing (Chen et al., 17 Jun 2025).
• Measurement and transparency: Log all delivery/response/remediation data; publish methodologies and results to facilitate iterative practice improvement.
• Ethical principles: Data minimization, recipient privacy, minimal fear-mongering, clear opt-out and correction channels (Chen et al., 17 Jun 2025, Hove et al., 2023).
• Workload respect: Recipients process large volumes of notifications—concise, evidence-driven, actionable content is essential.
• Human-centered evaluation: LLM-generated notifications require structured human (or LLM-aided) evaluation for correctness, intuitiveness, and actionability (Jüttner et al., 28 May 2025).
• Limitations: Policy alone yields only modest gains; actual resolution requires strong operational and contractual incentives. Unaddressed challenges include output hallucination in automated notifications, end-user engagement barriers, and the lack of scalable, automated notification quality assessment tools (Jüttner et al., 28 May 2025, Hove et al., 2023).

Vulnerability notification is a maturing, multi-dimensional field. Its effectiveness hinges not just on notification format but structural remediation incentives, decisive communication strategies, robust pipeline automation, and ongoing empirical measurement across a rapidly evolving digital attack surface. Further research is essential to refine messaging, adapt to emerging stakeholder configurations, and ensure automation aligns with human security needs (Chen et al., 17 Jun 2025, Vekaria et al., 11 Jun 2024, Stivala et al., 1 Dec 2025, Jüttner et al., 24 Oct 2025, Jüttner et al., 28 May 2025, Hove et al., 2023).