Research Program Map
The research program map defines the kinds of work the public site is prepared to describe. It does not authorize testing and does not replace the rules of engagement. Its purpose is to keep research language coherent as reports, advisories, examples, and tools accumulate.
Research output should be practical enough for defenders and reviewers to understand the issue without turning the site into an exploit handbook. The site can publish methodology, classification, severity rationale, and sanitized evidence patterns. It should avoid unnecessary payload detail, live target material, credentials, private vendor evidence, or operational steps that make abuse easier.
Research Lines
| Line | Output | Public Boundary |
|---|---|---|
| Vulnerability coordination | Advisories, timelines, remediation notes | Publish after evidence review and coordination state is settled |
| Defensive tooling | Browser-local utilities, validators, release notes | No hidden network behavior, no unreviewed binary release |
| Evidence handling | Redaction standards, examples, report templates | Public examples remain synthetic or sanitized |
| Severity analysis | Severity model, impact rationale, data fields | Explain reasoning without overstating certainty |
| Aggregate records | Schemas, metrics, data publications | Publish only with source boundary and bias notes |
Publication Outputs
A research item should choose the narrowest sufficient output. A vulnerability with a vendor remediation path belongs in an advisory. A broader methodology or trend belongs in a report. A reusable format belongs in data or schemas. A local utility belongs in tools. A sanitized teaching artifact belongs in examples.
That separation prevents overloading a single route with every detail. It also helps readers understand what kind of confidence the page is offering. An advisory says what changed for an affected issue. A report explains a method or finding. A schema defines a record shape. A tool produces local output that the user must interpret in context.
Boundary Questions
Before publication, a research page should answer whether the material requires authorization context, whether it contains sensitive evidence, whether it could enable direct misuse, whether affected parties have been notified when appropriate, and whether the public version can stand on its own after redaction. If the answer is unclear, the work belongs in review rather than public navigation.