Use this template when preparing advisory metadata before publication.
- Advisory title:
- Internal tracking reference (non-public):
- Severity level (S0/S1/S2/S3):
- CVSS score and vector (if available):
- CWE ID(s):
- CVE ID (if assigned):
- One-paragraph vulnerability summary:
- Exploit preconditions:
- Impact scope:
- Ecosystem:
- Package name:
- Affected version range:
- First affected version (if known):
- Last affected version (if known):
- Fixed version(s):
Use a precise, machine-readable range. Include examples as needed:
- Rust crate example:
>=0.1.0, <0.1.8 - Single affected release:
=0.1.5 - Multiple windows:
<0.1.4 || >=0.1.6, <0.1.8
- Root cause summary:
- Vulnerable code path(s):
- Attack vector type (remote/local/authenticated):
- Security boundary crossed:
- Temporary mitigation steps:
- Configuration hardening guidance:
- Detection/monitoring hints:
- Fix PR(s) or commit SHA(s):
- Backport PR(s) or commit SHA(s):
- Validation evidence summary:
cargo test --workspace --all-targets- security-focused targeted tests
- Patch/release notes link(s):
- External references (if any):
- Researcher credits / acknowledgments:
- Affected and fixed versions are explicit and accurate.
- Severity/CVSS/CWE fields are populated or intentionally marked unknown.
- Mitigations are included when no fixed release exists.
- Public text excludes sensitive exploit implementation details.
- Post-disclosure monitoring owner is assigned.