Advisory and Vulnerability Publication Guidelines

Purpose

SHLORBT Research Labs publishes security advisories as part of its mission to advance system-level software security and responsible research practices. These guidelines describe how vulnerabilities identified through our research are evaluated, coordinated, and, where appropriate, disclosed publicly.

The objective of this process is to improve software integrity and resilience while minimizing risk to users and infrastructure.

Scope

These guidelines apply to:

• Vulnerabilities identified through SHLORBT Research Labs-led research activities
• Issues reported to SHLORBT Research Labs under the Vulnerability Disclosure Policy
• Security findings related to publicly distributed software, binaries, firmware, or system-level components

These guidelines do not apply to:

• Client-specific systems assessed under private contractual agreements
• Proprietary software examined under confidentiality obligations
• Issues disclosed exclusively through vendor-managed programs unless otherwise agreed

Criteria for Advisory Publication

SHLORBT Research Labs may publish a security advisory when one or more of the following conditions are met:

• The vulnerability affects publicly distributed or widely deployed software
• The issue has been validated through technical analysis
• Reasonable efforts have been made to coordinate with affected vendors or maintainers
• Publication serves a clear defensive or risk-reduction purpose

Not all validated findings result in public advisories. Decisions are made based on impact, exploitability, coordination status, and potential for misuse.

Validation and Review Process

Before publication, all findings undergo an internal technical review to confirm accuracy, scope, and severity. This review includes assessment of:

• Root cause and affected components
• Execution context and preconditions
• Potential impact on confidentiality, integrity, or availability
• Availability of mitigations or fixes

Advisories are written to reflect evidence-based conclusions and avoid unnecessary speculation.

Coordinated Disclosure

SHLORBT Research Labs follows coordinated disclosure practices wherever feasible. This may involve:

• Notifying affected vendors or maintainers
• Allowing reasonable time for remediation
• Aligning publication timelines where appropriate

Disclosure timelines are determined on a case-by-case basis and may vary depending on complexity, severity, and responsiveness of involved parties.

CVE Identification

Where appropriate, SHLORBT Research Labs may request or coordinate the assignment of Common Vulnerabilities and Exposures (CVE) identifiers through authorized channels.

SHLORBT Research Labs is not currently a CVE Numbering Authority (CNA) and does not assign CVE identifiers. CVE identifiers for findings are requested through the appropriate vendor CNA, relevant coordination center, or through the MITRE CNA of Last Resort (CNA-LR) where no other CNA has jurisdiction. CVE references are included in advisories where available to improve traceability, coordination, and industry-standard vulnerability tracking.

SHLORBT Research Labs does not assign CVE identifiers unless formally authorized within the CVE Program.

CVE references are included in advisories where available to improve traceability, coordination, and industry-standard vulnerability tracking.

Advisory Content and Redaction

Published advisories typically include:

• A clear description of the affected component or software
• Impact assessment and severity context
• High-level technical explanation of the issue
• Mitigation guidance or remediation references
• Disclosure timeline and coordination notes

Technical details may be limited or redacted where full disclosure could increase the risk of misuse or exploitation.

Advisory Identification

Each advisory published by SHLORBT Research Labs is assigned a unique identifier to ensure consistent referencing and archival tracking.

Advisory identifiers follow the format:

• SHL-YYYY-NNN

Where:

YYYY represents the year of publication
NNN represents a sequential advisory number for that year

Example:

• SHL-2026-001
• SHL-2026-002

These identifiers are used in advisory titles, references, and update notices to maintain consistent tracking across publications.

Advisory Format

Each advisory typically includes:

• Advisory ID
• CVE identifier (if assigned)
• Affected software and versions
• Vulnerability description
• Impact assessment
• Technical details (limited if necessary)
• Mitigation or remediation guidance
• Disclosure timeline

Attribution and Acknowledgment

Where appropriate, contributors or reporters may be acknowledged in advisories, subject to consent and confidentiality considerations.

SHLORBT Research Labs reserves the right to omit attribution where required by legal, ethical, or coordination constraints.

Client and Confidential Research

Findings related to client systems, proprietary software, or confidential engagements are not published without explicit authorization.

Such findings are handled through private disclosure channels governed by contractual agreements and are outside the scope of public advisory publication.

Revisions and Corrections

Advisories may be updated to correct inaccuracies, reflect newly available information, or document remediation progress. Significant updates will be clearly indicated.

Relationship to Other Policies

These guidelines should be read in conjunction with:

• Vulnerability Disclosure Policy
• Acceptable Use & Lawful Research Policy
• Security Policy
• Data Privacy Policy

Together, these documents define SHLORBT Research Labs approach to responsible research and disclosure.

Contact

Questions regarding advisories or disclosure coordination may be directed to:

security@shlorbt.cloud