Maintainers can customise security advisories

[psmoros]

Pitch

Currently security advisories that get published on the CVE DB are too generic (ie x is vulnerable to y) or inaccurate (incorrect versions afflicted). By letting maintainers customise their advisories pre publication; the affected parties can get a better understanding of the vulnerability.

• Advisory summary
• Afflicted versions of the "product" (done with #2157)
• CVSS

Clarification: this feature doesn't include the ability for users to edit the summary of their reports on the huntr platform. If you guys want that, please feel free to open another issue.

[psmoros]

From @geeknik:

Hi, I think it would make proper sense to add a "Security Advisory" field to bug reports likely to receive a CVE. This field would be editable by the researcher and the maintainer and allow for the discussion and formatting of a proper security advisory. The value in a CVE being written which only says "xxx is vulnerable to yyy" is low, and I feel that adding the ability for us to write up a simple root cause analysis can go a long way. 1024 characters or less, we don't need a novel, if it's that big of a deal, include a link to a proper write-up. Comments separate from the bug report and hidden from public view (?), discussions about the root cause aren't necessarily that interesting to outside parties, plus if there is a proper write-up, that will be way better to read. Once the "Publish" button is clicked by the maintainer, who in the end is the absolute authority over their own code, the advisory gets posted, the report goes public, everyone gets paid and we move on to the next report. Thoughts?

If I may leave another suggestion, maybe a link to some educational material next to the Advisory field for those folks who have never had to write an advisory before? For instance: https://cveproject.github.io/docs/content/key-details-phrasing.pdf