Vendor security advisories perform a function. They convey info including known vulnerable versions, severity of the vuln if exploited, how to tell if you're affected, & what action to take to fix. Not all bugs require user action to fix. Credit should be given though. https://twitter.com/steventseeley/status/1035542371524636673 …
Except that so many of them don't do that. Especially "how to tell if you're affected" is usually omitted or intentionally obscured. >_<