Hey Matthias,
We share the same problem very often.
Sometimes they come with the advisory as an indicator of compromise to check
in the logs. Sometimes in an accompanying blog post that explains the
vulnerability in detail. But very often the vendor keeps it back, the
person who did the discovery is cautious to not inventivize any criminals and
sometimes a proof of concept does not even exist.
Which brings us to the situation where we think we might be covering for a
certain vulnerability but we can not tell for sure and you are left on your
own devices.
I understand that this unsatisfying, but it would indeed be a separate project
of its own to try and document this for 20+K vulnerabilities every year. Or a
possible differentiator for a commercial CRS integrator that keeps an overview
in order to share with its customers.
Best,
Christian