This study addresses two core challenges in large-scale security vulnerability notifications: fragmented multi-stakeholder coordination and persistent conflation between vulnerability disclosure and notification practices. Through cross-case qualitative meta-analysis, operational log reconstruction, and comparative analysis of policy evolution, we systematically distinguish—along objective, procedural, and ethical dimensions—the fundamental nature of vulnerability disclosure (repair-oriented, collaboration-centric) versus vulnerability notification (reach-oriented, scalability-focused). Building on this distinction, we propose the first “end-to-end notification operations framework” tailored for large-scale stakeholder outreach, encompassing message initiation, multi-channel adaptation, and response assessment, accompanied by a dedicated ethical guideline. The framework has been formally integrated into a draft revision of the industry-wide Vulnerability Notification Operations Standard.

Security researchers are interested in security vulnerabilities, but these security vulnerabilities create risks for stakeholders. Coordinated Vulnerability Disclosure has been an accepted best practice for many years in disclosing newly discovered vulnerabilities. This practice has mostly worked, but it can become challenging when there are many different parties involved. There has also been research into known vulnerabilities, using datasets or active scans to discover how many machines are still vulnerable. The ethical guidelines suggest that researchers also make an effort to notify the owners of these machines. We posit that this differs from vulnerability disclosure, but rather the practice of vulnerability notification. This practice has some similarities with vulnerability disclosure but should be distinguished from it, providing other challenges and requiring a different approach. Based on our earlier disclosure experience and on prior work documenting their disclosure and notification operations, we provide a meta-review on vulnerability disclosure and notification to observe the shifts in strategies in recent years. We assess how researchers initiated their messaging and examine the outcomes. We then compile the best practices for the existing disclosure guidelines and for notification operations.