Evidence Discipline​

Claims should be supported by the minimum evidence necessary to establish risk, impact, and remediation relevance.

Coordinated Disclosure​

Public release should respect affected-party coordination, remediation timelines, and avoid unnecessary operational detail.

Static by Default​

Public infrastructure should remain low-attack-surface: static pages, explicit artifacts, no hidden collection, and no unnecessary runtime services.

No Implied Authorization​

Policies, examples, templates, and tools are not permission to test, scan, fuzz, exploit, or access third-party systems.

Publication Discipline​

A public artifact should answer what it is, who it is for, what it does not claim, and how it should be reviewed. PCL pages should avoid promotional claims and rely on stable structure, restrained language, and verifiable process to communicate quality.