Advisories

Advisories are the durable public records for coordinated vulnerability disclosures handled or published by PunchCard Labs. An advisory should be specific enough for defenders and affected parties to understand impact and remediation while avoiding unnecessary exploit mechanics or sensitive evidence.

The advisory surface is intentionally separated from broader reports. An advisory is tied to an affected product, issue, status, timeline, and remediation path. Reports may be broader; advisories should be precise.

Published AdvisoriesCanonical public advisory records once available.Advisory ProcessHow advisory records move from coordination to publication.Advisory TemplatesRequired fields and structure for future publications.

Publication Standard

A public advisory should have a stable identifier, canonical URL, affected product/version statement, impact summary, severity rationale, remediation guidance, timeline, credits, and references. If any of those fields are unknown, the advisory should say so directly rather than imply certainty.

A publication standard keeps the absence of records distinct from a broken route. If no public artifact exists yet, the page should say so directly, identify what will appear here later, and point users to the nearest useful policy or contact path.

Lifecycle Model

The advisory lifecycle page defines the path from intake to validation, coordination, publication, correction, or withdrawal. Keeping that state model public makes future advisories easier to interpret because readers can distinguish an empty advisory index from an incomplete disclosure record.

Advisory LifecycleState model for advisory records.Advisory ProcessCoordination and publication process.