Skip to main content
The Binarly Transparency Platform provides automatic advisory generation for UEFI vulnerabilities that can be shared internally, with third-party vendors, or publicly. These advisories consolidate all available technical information about a UEFI vulnerability.

Advisory Content

Each automatically generated advisory includes technical details about the UEFI vulnerability: a summary with a concise description of the security issue, affected component details including the vulnerable UEFI module’s name, GUID, and hash values, and a risk assessment in the form of the vulnerability’s CVSS vector and score. Below is an excerpt of a generated advisory. An example BTP Automatic Advisory The technical analysis provides the specific address of the vulnerable function within the module, decompiled function body showing the actual vulnerable code, a technical breakdown of the vulnerable code lines and how they can be exploited, and suggested fixes and mitigation strategies to address the vulnerability.

Generating Advisories

The Automatic Advisory can be generated from the finding details page (see below). The finding details context menu option for Automatic Advisories
  1. Navigate to the finding details page for a UEFI vulnerability
  2. Click the three-dot menu () in the finding details interface
  3. Select Get Advisory from the dropdown menu
  4. Choose your preferred output format:
    • PDF: Formatted document suitable for formal distribution and presentation
    • Markdown: Text-based format ideal for integration with documentation systems or further editing
If there exists a Jira ticket for the finding, the advisory can be stored in the Jira ticket as an attachment instead of being downloaded. To do this, choose “Attach to Jira ticket” in the “Get Advisory” menu and select the desired format: PDF or Markdown (MD).

Use Cases

Automatic advisories serve multiple communication scenarios. They can aid internal communication by sharing detailed vulnerability analysis with internal security teams and supporting incident response and vulnerability management processes. Advisories can also be used for 3rd-party vendor coordination with firmware developers or OEMs, providing technical details to facilitate patch development, and coordinated disclosure processes without the need of giving 3rd-party access to the Binarly Transparency Platform. Finally, automatic advisories support public disclosure by providing standardized vulnerability reports that ensure consistent and comprehensive information sharing with the security community and maintain technical accuracy.