Advisory Lifecycle
The advisory lifecycle defines how a vulnerability record becomes a public advisory. It is not a replacement for the disclosure policy or the rules of engagement. It is a publication control that keeps issue-specific records consistent as they move from private coordination to public reference.
A public advisory should not be assembled at the end as an afterthought. The private coordination record should preserve enough structure that the public version can be reviewed, redacted, and published without reconstructing the timeline from memory. The public record should identify what is known, what changed, and what readers should do.
State Model
| State | Meaning | Public Behavior |
|---|---|---|
| Intake | A report or finding has been received | Not public |
| Validation | Evidence is being checked for affected asset, impact, and reproducibility | Not public |
| Coordination | Affected party or maintainer communication is active | Not public unless authorized by process |
| Remediation Pending | Fix or mitigation is under development or review | Not public by default |
| Publication Review | Public text, timeline, severity, and redaction are being reviewed | Not public |
| Published | Advisory is public and citable | Public advisory page active |
| Corrected | Advisory has received a post-publication correction | Public change note required |
| Withdrawn | Advisory should no longer be relied on as stated | Public withdrawal rationale required |
Required Advisory Fields
Every public advisory should include identifier, affected product or service, affected versions when known, impact summary, severity rationale, remediation or mitigation, timeline, credits, references, publication date, and correction path. Unknown fields should be marked directly; they should not be hidden by omission.
Correction Practice
Corrections should be visible and narrow. A correction can fix version scope, remediation wording, timeline errors, or severity rationale. It should not silently rewrite the historical coordination record. If a public advisory becomes unreliable, it should be marked corrected or withdrawn rather than quietly edited.