Skip to main content

Advisory Process

Lifecycle

  1. Intake. Record the report and screen for sensitive material.
  2. Authorization check. Confirm the report can be handled without endorsing unauthorized conduct.
  3. Technical triage. Evaluate affected surface, severity, evidence quality, and confidence.
  4. Evidence review. Remove unnecessary sensitive detail and restrict non-public material.
  5. Coordination. Contact vendor, maintainer, CERT, CNA, or other responsible party where appropriate.
  6. Remediation tracking. Record patch, mitigation, workaround, or vendor position.
  7. Publication review. Validate redaction, severity, timeline, and public utility.
  8. Release. Publish a stable advisory page or record.
  9. Revision. Add corrections, vendor updates, CVE changes, or remediation updates when necessary.

Advisory Quality Bar

An advisory should identify what is affected, why it matters, what to do, and what remains uncertain. It should not publish details whose main effect is to accelerate exploitation.

Required Advisory Fields

  • advisory identifier;
  • status;
  • affected vendor and product;
  • affected versions or configurations;
  • summary;
  • impact;
  • severity and confidence;
  • remediation or mitigation;
  • coordination timeline;
  • credits if approved;
  • references;
  • revision history.