Advisory Template
This template defines the minimum structure for a public PCL advisory. It is written to support remediation, citation, and long-term archival value without publishing unnecessary exploit detail.
Required Sections
- Identifier — stable PCL advisory ID and canonical URL.
- Status — draft, coordinated, published, corrected, withdrawn, or superseded.
- Affected Products — product names, versions, configurations, and tested build identifiers when available.
- Summary — concise impact statement written for technical readers.
- Impact — affected security properties, likely affected users, and operational consequences.
- Severity Rationale — CVSS vector when used, plus PCL priority reasoning and any contextual modifiers.
- Remediation — vendor fix, mitigation, configuration change, or compensating control.
- Timeline — report, acknowledgement, validation, remediation, and publication milestones.
- Credits — researcher, coordinator, vendor, and disclosure acknowledgements.
- References — vendor advisory, CVE, standards references, and related public material.
Publication Rules
The advisory should not include live credentials, bearer tokens, raw customer data, exploit-ready weaponization, or instructions that materially increase abuse risk. Reproduction details should be sufficient for defenders and affected maintainers to understand the issue, not for unrelated operators to exploit it.
Review Checklist
- Scope and authorization were verified.
- Affected-party notification path was attempted or documented.
- Evidence was minimized and redacted.
- Severity language is supported by evidence.
- Canonical URL and identifier are stable.
- Remediation status is clear.