This is embargoed notification of a vulnerability discovered in $PROJECT. This notification is sent to let distributors and service providers plan for applying patches to reduce the time of user exposure. Information below should be kept confidential until the listed embargo date. Please do not forward this information to other parties.
A brief (as short as possible, about a paragraph) summary of the vulnerability using technical details. The goal of this is to allow the vendor to do a quick assessment of what the bug is about.
[Low, Medium, HIGH, CRITICAL] - Accompany your assessment with a motivation, and even a good attack scenario to explain the risk associated. Including CVSS scoring is optional, but if you include the score, also include the vector phrase
CODE or Command Lines. We want to offer a concrete, usable, and repeatable way for the vendor to reproduce the issue you are raising so they can test fixes and mitigations.
Known remediation or planned patch. Include when patch will be available OR links to where the patch is/will be available, or reference attached patch.
If you wish to add more context or information, we recommend adding it after the critical sections mentioned here.
Date reported:
Date fixed:
Date to be disclosed:
(Optional - communication and updates summary)
Public disclosure date: $DATE $TIME $TIMEZONE
Please do not make the issue public, issue user communications, share this information with others, or issue public patches before the disclosure date. We will notify this list immediately if the disclosure date is at risk or changes.