Vulnerability disclosure is the practice of a finder disclosing a newly found vulnerability to vendors. It has received best practices to ensure communication between stakeholders. However, the practice of a finder or vendor notifying end-users about vulnerable systems and mitigation plans has not received the same attention and guidelines for performing it at scale. We identify the practice as vulnerability notification, which shares similarities with disclosure but presents other challenges and requires different approaches. In vulnerability notification, a finder targets known vulnerabilities or misconfigurations using active scans or datasets to determine how many systems or services remain vulnerable. The scale and complexity of vulnerability notification to end-users are often significantly greater than those of multi-party disclosure to vendors. These place an increasing burden on finders to inform stakeholders on time, especially for academic security researchers, ethical hackers, and practitioners. Based on our experience with notifications and academic publications documenting disclosure and notification operations, we conduct a meta-review of how researchers have adopted best practices, pursued different strategies, and reflected on their operations over the years. Drawing on the meta-review and suggestions from security communities, we propose new best practices for finders to perform vulnerability disclosure, particularly vulnerability notification at scale.